Images and security fixes

git-svn-id: https://code.elgg.org/elgg/trunk@1729 36083f99-b078-4883-b0ff-0f9b5a30f544

1 files changed, 6 insertions, 2 deletions

diff --git a/views/default/input/button.php b/views/default/input/button.php
index a44ac4913..115324533 100644
--- a/views/default/input/button.php
+++ b/views/default/input/button.php
@@ -15,9 +15,12 @@
 	 * @uses $vars['js'] Any Javascript to enter into the input tag
 	 * @uses $vars['internalname'] The name of the input field
 	 * @uses $vars['type'] Submit or reset, defaults to submit.
+	 * @uses $vars['src'] Src of an image
 	 * 
 	 */
 
+	global $CONFIG;
+
 	$type = strtolower($vars['type']);
 	switch ($type)
 	{
@@ -29,6 +32,7 @@
 	
 	$value = htmlentities($vars['value']);
 	$name = $vars['internalname'];
-	
+	$src = $vars['src'];
+	if (strpos($src,$CONFIG->wwwroot)===false) $src = ""; // blank src if trying to access an offsite image.
 ?>
-<input type="<?php echo $type; ?>" class="<?php echo $type; ?>_button" <?php echo $vars['js']; ?> value="<?php $value; ?>" />
\ No newline at end of file
+<input type="<?php echo $type; ?>" class="<?php echo $type; ?>_button" <?php echo $vars['js']; ?> value="<?php $value; ?>" src="<?php echo $src; ?>" />
\ No newline at end of file