David.Writes("<Code>");

Don't mind me… just here to take over the world…

drupal XSS filtering removes unrecognized tags

So I just installed drupal 7.10 and am playing around with it a bit.  I changed my site name to david->writes(‘<drupal>’);.  What I got was david->writes(”);.  I got the same thing when trying to post this message to the drupal forums, as I figured I might.  So I manually escaped it.  I figured the validation was removing the <drupal> “tag”, so I found where this takes place in the_filter_xss_split function in includes/common.inc.

If the text looks like a tag, but is not one of the listed supported tags, an empty string is returned. Seems a little lazy really. So, on line 1411, I changed the

return '';

to

return '&lt;'.$elem.'&gt;';

Anyway, my site name shows up correctly now.

I haven’t tested this thoroughly, but I don’t see how it would cause a problem. It’s just a little escape action.

Has anyone else seen this and fixed it? Anyone see any potential problems? Other comments?

P.S.  View the forum conversation here:  http://drupal.org/node/1412910

  • Hey David,
    I have been trying to track you down. We have some freelance work for our agency and wasnt sure if you were interested. Please contact us if you have some time.
    Thanks.
    Justin Ramb