id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
13377	Add more sanitization in _cleanup_header_comment	seanklein	ryan	"The _cleanup_header_comment function is used in multiple places, but one in particular can cause some problems on the Page edit screen (or any screen that uses page templates).  The get_page_templates function (which gets the list of page templates to display in a <select> box on the page edit screen) uses to cleanup the page templates retrieved from a file.  

Unfortunately the function does not sanitize enough, and if (for instance) JavaScript existed in the page template name it would be run on the Page Edit screen.

To test, add some JavaScript (with <script> tags) to the ""Template Name:"" line of a page template, and load the Page edit screen."	defect (bug)	new	normal	Future Release	Security	3.0	normal		has-patch