From 4edd072e83beaf9e2d98f11242d91323cb9d74b4 Mon Sep 17 00:00:00 2001
From: Ivan Tcholakov <ivantcholakov@gmail.com>
Date: Sat, 5 Mar 2011 22:36:38 +0200
Subject: [PATCH] Task #3055 - Implementing lighter sanitation for the input
 parameter $image_path, method Display::img().

---
 main/inc/lib/display.lib.php | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/main/inc/lib/display.lib.php b/main/inc/lib/display.lib.php
index 750995432e..ed2f50db5d 100755
--- a/main/inc/lib/display.lib.php
+++ b/main/inc/lib/display.lib.php
@@ -659,12 +659,27 @@ class Display {
      * @author Julio Montoya 2010
      */
     public static function img($image_path, $alt_text = '', $additional_attributes = array()) {
+
+        // Sanitizing the parameter $image_path
+        $image_path = htmlspecialchars(trim($image_path)); // No html code is allowed.
+        if (strpos($image_path, '?') !== false) {
+            // We allow static images only, query strings are forbidden here.
+            $image_path = '';
+        }
+        if (($pos = strpos($image_path, ':')) !== false) {
+            // Protocol has been specified, let's check it.
+            $protocol = substr($image_path, 0, $pos + 3);
+            if (strcasecmp($protocol, 'http://') != 0 && strcasecmp($protocol, 'https://') != 0) {
+                // Allowed protocols: http:// , https://
+                $image_path = '';
+            }
+        }
+
         $attribute_list = '';
         // alt text = the image name if there is none provided (for XHTML compliance)
         if ($alt_text == '') {
             $alt_text = basename($image_path);
         }
-        $image_path = Security::remove_XSS($image_path);
 
         $additional_attributes['src'] = $image_path;