My website has a title with an ampersand. Unfortunately, the ampersand is not html-encoded properly by the Acquia Prosper theme.

With the default Drupal theme (garland) entering the ampersand on /admin/settings/site-information leads to a (properly encoded) '&' in the final html output. Acquia Prosper requires me to input '&' otherwise it leads to html validation errors.

Comments

jeremycaldwell’s picture

jeremycaldwell CreditAttribution: jeremycaldwell commented
Assigned: Unassigned » sociotech
coltrane’s picture

coltrane
he/him
CreditAttribution: coltrane commented

I was unable to get full tags to be interpreted from this field, though it may be possible. This issue can be fixed publicly per the Security team's policy around advanced permissions. In this case the permission 'administer site configuration' is required to edit the field.

thekk’s picture

thekk CreditAttribution: thekk commented
Version: 6.x-1.0-beta4 » 6.x-1.1
Priority: Normal » Major

This bug can be exploited by loading javascript in the title tag. Steps to reproduce (on a D6 website with Acquia Prosper 1.1):

- Log in as user with administer site configuration permission
- Go to mysite/admin/settings/site-information
- Set title to:
Site title</title><script>alert('XSS Example')</script><title>

I haven't investigated if this is only possible with Acquia Prosper, or if the error lies in Fusion or Skinr.

A side note: perhaps it is a good idea to sanitize this field in the core module, and not rely on every theme to sanitize the title.

thekk’s picture

thekk CreditAttribution: thekk commented

The first issue (having to enter & in the site name field to allow proper html validation) can be fixed by sanitizing $site_name in the page.tpl.php.

This does not remove the vulnerability to $head_title described in the above post, but I feel that's something that should be fixed in core.