So I just installed drupal 7.10 and am playing around with it a bit. I changed my site name to david->writes(‘<drupal>’);. What I got was david->writes(”);. I got the same thing when trying to post this message to the drupal forums, as I figured I might. So I manually escaped it. I figured the validation was removing the <drupal> “tag”, so I found where this takes place in the_filter_xss_split function in includes/common.inc.
If the text looks like a tag, but is not one of the listed supported tags, an empty string is returned. Seems a little lazy really. So, on line 1411, I changed the
Anyway, my site name shows up correctly now.
I haven’t tested this thoroughly, but I don’t see how it would cause a problem. It’s just a little escape action.
Has anyone else seen this and fixed it? Anyone see any potential problems? Other comments?
P.S. View the forum conversation here: http://drupal.org/node/1412910