Cross site scripting in two theme settings

The settings page of the Marinelli theme (/admin/appearance/settings/marinelli) contains a stored cross-site scripting (XSS) problem. Under Banner Managment > Banner configuration the values entered in the title field are not properly sanitized when outputted to the screen.

Reproduce
-Install clean version of Drupal. I used drupal-7.26.
-Download and install latest version of Marinelli theme. I used marinelli-7.x-3.0-beta11.
-Go to [site]/admin/appearance/settings/marinelli.
-Click 'Save configuration' on the bottom of the screen.

-Open Banner managment
-Open Banner configuration
-Click one of the images tabs
-Add <script>alert(1);</script> to the title value.
-Click 'Save configuration' on the bottom of the screen.

Result
-A javascript popup is shown.
-The source code of the page contains the following html with the unsanitized cross-site scripting code.

<fieldset class="collapsible form-wrapper" id="edit-images-1"><legend><span class="fieldset-legend">Image 2: <script>alert(1);</script></span></legend>

Result depends on the security level of your browser. Some browsers have XSS protection. I've tested this with Firefox v26.

Solution
The problem is on line 362 of theme_settings.php.

  foreach ($banners as $image_data) {
    $form['banner']['images'][$i] = array(
      '#type' => 'fieldset',
      '#title' => t('Image !number: !title', array('!number' => $i + 1, '!title' => $image_data['image_title'])),

The image_title is added to the form. But by using the exclamation mark (!)in the placeholder, the value is not sanitized. Apparently the value is also not sanitized by the Drupal form api. The unsanitized value is added to the title of the tab of the image.

To solve this problem, use a placeholder starting with a at sigh (@) to sanitize the value.

foreach ($banners as $image_data) {
    $form['banner']['images'][$i] = array(
      '#type' => 'fieldset',
      '#title' => t('Image !number: @title', array('!number' => $i + 1, '@title' => $image_data['image_title'])),

Exploit
This problem can be exploited by someone with 'Administer themes' permission to attack a user with more privileges. The attacker adds the XSS code to a title field and saves the page. When another user visits the page the XSS code is executed. With specially crafted XSS code the attacker can obtain the session cookie of the victim and log in as that user. This is an escalation of his privileges.

---------------------------

On the settings page of the Marinelli theme the text of the sticky icon can be configured ('String settings' > 'text of the sticky icon'). This text is shown next to the title of a node in teaser view when the node has the 'Sticky at top of lists' setting enabled. This value is not sanitized when it is outputted to the screen.

Reproduce
-Go to [site]/admin/appearance/settings/marinelli.
-Add the following text in the 'String settings' > 'text of the sticky icon' field.

Sticky!!!<script>alert(1);</script>

-Click 'Save configuration' on the bottom of the screen.
-Create a new node. Go to Publishing options. Check the 'Published', 'Promoted to front page', and 'Sticky at top of list' setting. Save the node.
-Go to the homepage.

I used drupal-7.26 and marinelli-7.x-3.0-beta11.

Result
-A javascript popup is shown.
-The source code of the page contains the following html with the unsanitized cross-site scripting code.

<div class="teaser-content">
<h2 class="teaser-title">
<a href="/xss/node/1">test</a><span class="teaser-sticky">Sticky!!!<script>alert(1);</script></span>

Result depends on the security level of your browser. Some browsers have XSS protection. I've tested this with Firefox v26.

Solution
To correct this problem a fix is needed in templates\node--teaser.tpl.php.
On line 15 the $sticky_text variable is used in the t() function without using placeholders.
By using a placeholder which starts with @, the value is sanitized.