Merge commit from fork

* introduce wrapper class to keep unescaped variants available for templates

* escape more settings before usage

app/code/core/Mage/Core/Model/Security/HtmlEscapedString.php

@@ -0,0 +1,35 @@
+<?php
+declare(strict_types=1);
+
+/**
+ *
+ */
+class Mage_Core_Model_Security_HtmlEscapedString implements Stringable
+{
+
+    protected $originalValue;
+    protected $allowedTags;
+
+    /**
+     * @param string $originalValue
+     * @param string[]|null $allowedTags
+     */
+    public function __construct(string $originalValue, ?array $allowedTags = null)
+    {
+        $this->originalValue = $originalValue;
+        $this->allowedTags = $allowedTags;
+    }
+
+    public function __toString(): string
+    {
+        return (string) Mage::helper('core')->escapeHtml(
+            $this->originalValue,
+            $this->allowedTags
+        );
+    }
+
+    public function getUnescapedValue(): string
+    {
+        return $this->originalValue;
+    }
+}

app/code/core/Mage/Page/Block/Html/Header.php

@@ -57,7 +57,9 @@ public function setLogo($logo_src, $logo_alt)
     public function getLogoSrc()
     {
         if (empty($this->_data['logo_src'])) {
-            $this->_data['logo_src'] = Mage::getStoreConfig('design/header/logo_src');
+            $this->_data['logo_src'] =  new Mage_Core_Model_Security_HtmlEscapedString(
+                (string) Mage::getStoreConfig('design/header/logo_src')
+            );
         }
         return $this->getSkinUrl($this->_data['logo_src']);
     }
@@ -68,7 +70,9 @@ public function getLogoSrc()
     public function getLogoSrcSmall()
     {
         if (empty($this->_data['logo_src_small'])) {
-            $this->_data['logo_src_small'] = Mage::getStoreConfig('design/header/logo_src_small');
+            $this->_data['logo_src_small'] =  new Mage_Core_Model_Security_HtmlEscapedString(
+                (string) Mage::getStoreConfig('design/header/logo_src_small')
+            );
         }
         return $this->getSkinUrl($this->_data['logo_src_small']);
     }
@@ -79,7 +83,9 @@ public function getLogoSrcSmall()
     public function getLogoAlt()
     {
         if (empty($this->_data['logo_alt'])) {
-            $this->_data['logo_alt'] = Mage::getStoreConfig('design/header/logo_alt');
+            $this->_data['logo_alt'] = new Mage_Core_Model_Security_HtmlEscapedString(
+                (string) Mage::getStoreConfig('design/header/logo_alt')
+            );
         }
         return $this->_data['logo_alt'];
     }
@@ -97,7 +103,9 @@ public function getWelcome()
             if (Mage::isInstalled() && Mage::getSingleton('customer/session')->isLoggedIn()) {
                 $this->_data['welcome'] = $this->__('Welcome, %s!', $this->escapeHtml(Mage::getSingleton('customer/session')->getCustomer()->getName()));
             } else {
-                $this->_data['welcome'] = Mage::getStoreConfig('design/header/welcome');
+                $this->_data['welcome'] = new Mage_Core_Model_Security_HtmlEscapedString(
+                    (string) Mage::getStoreConfig('design/header/welcome')
+                );
             }
         }
 

app/code/core/Mage/Page/Block/Html/Welcome.php

@@ -44,7 +44,9 @@ protected function _toHtml()
             if (Mage::isInstalled() && $this->_getSession()->isLoggedIn()) {
                 $this->_data['welcome'] = $this->__('Welcome, %s!', $this->escapeHtml($this->_getSession()->getCustomer()->getName()));
             } else {
-                $this->_data['welcome'] = Mage::getStoreConfig('design/header/welcome');
+                $this->_data['welcome'] = new Mage_Core_Model_Security_HtmlEscapedString(
+                    (string) Mage::getStoreConfig('design/header/welcome')
+                );
             }
         }