From fa113e023b658470c13756bd463d8b64d29db95b Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@netways.de>
Date: Wed, 31 Aug 2016 15:11:55 +0200
Subject: [PATCH 1/4] dashboard/new-dashlet: don't allow external URLs

refs #11920
---
 application/forms/Dashboard/DashletForm.php   |  3 +-
 .../Form/Validator/InternalUrlValidator.php   | 37 +++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 library/Icinga/Web/Form/Validator/InternalUrlValidator.php

diff --git a/application/forms/Dashboard/DashletForm.php b/application/forms/Dashboard/DashletForm.php
index f3df2c216..07d5c327e 100644
--- a/application/forms/Dashboard/DashletForm.php
+++ b/application/forms/Dashboard/DashletForm.php
@@ -3,6 +3,7 @@
 
 namespace Icinga\Forms\Dashboard;
 
+use Icinga\Web\Form\Validator\InternalUrlValidator;
 use Icinga\Web\Widget\Dashboard;
 use Icinga\Web\Form;
 use Icinga\Web\Form\Validator\UrlValidator;
@@ -70,7 +71,7 @@ class DashletForm extends Form
                 'description'   => $this->translate(
                     'Enter url being loaded in the dashlet. You can paste the full URL, including filters.'
                 ),
-                'validators'    => array(new UrlValidator())
+                'validators'    => array(new UrlValidator(), new InternalUrlValidator())
             )
         );
         $this->addElement(
diff --git a/library/Icinga/Web/Form/Validator/InternalUrlValidator.php b/library/Icinga/Web/Form/Validator/InternalUrlValidator.php
new file mode 100644
index 000000000..a0230c782
--- /dev/null
+++ b/library/Icinga/Web/Form/Validator/InternalUrlValidator.php
@@ -0,0 +1,37 @@
+<?php
+/* Icinga Web 2 | (c) 2016 Icinga Development Team | GPLv2+ */
+
+namespace Icinga\Web\Form\Validator;
+
+use Icinga\Web\Url;
+use Zend_Validate_Abstract;
+
+/**
+ * Validator that checks whether a textfield doesn't contain an external URL
+ */
+class InternalUrlValidator extends Zend_Validate_Abstract
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function isValid($value)
+    {
+        $isExternal = Url::fromPath($value)->isExternal();
+        if ($isExternal) {
+            $this->_error('IS_EXTERNAL');
+        }
+        return ! $isExternal;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function _error($messageKey, $value = null)
+    {
+        if ($messageKey === 'IS_EXTERNAL') {
+            $this->_messages[$messageKey] = t('The url must not be external.');
+        } else {
+            parent::_error($messageKey, $value);
+        }
+    }
+}

From 5845d6c0cbf02040d43692e4c743dfad732a825d Mon Sep 17 00:00:00 2001
From: Eric Lippmann <eric.lippmann@netways.de>
Date: Fri, 9 Sep 2016 15:20:45 +0200
Subject: [PATCH 2/4] Optimize imports in DashletForm

refs #11920
---
 application/forms/Dashboard/DashletForm.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/application/forms/Dashboard/DashletForm.php b/application/forms/Dashboard/DashletForm.php
index 07d5c327e..9b23d9517 100644
--- a/application/forms/Dashboard/DashletForm.php
+++ b/application/forms/Dashboard/DashletForm.php
@@ -3,11 +3,11 @@
 
 namespace Icinga\Forms\Dashboard;
 
-use Icinga\Web\Form\Validator\InternalUrlValidator;
-use Icinga\Web\Widget\Dashboard;
 use Icinga\Web\Form;
+use Icinga\Web\Form\Validator\InternalUrlValidator;
 use Icinga\Web\Form\Validator\UrlValidator;
 use Icinga\Web\Url;
+use Icinga\Web\Widget\Dashboard;
 use Icinga\Web\Widget\Dashboard\Dashlet;
 
 /**

From 1f980f92f2bafc36ba7817ec7a2459839a8b1157 Mon Sep 17 00:00:00 2001
From: Eric Lippmann <eric.lippmann@netways.de>
Date: Fri, 9 Sep 2016 15:21:06 +0200
Subject: [PATCH 3/4] Optimize imports in InternalUrlValidator

refs #11920
---
 library/Icinga/Web/Form/Validator/InternalUrlValidator.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library/Icinga/Web/Form/Validator/InternalUrlValidator.php b/library/Icinga/Web/Form/Validator/InternalUrlValidator.php
index a0230c782..8876f562b 100644
--- a/library/Icinga/Web/Form/Validator/InternalUrlValidator.php
+++ b/library/Icinga/Web/Form/Validator/InternalUrlValidator.php
@@ -3,8 +3,8 @@
 
 namespace Icinga\Web\Form\Validator;
 
-use Icinga\Web\Url;
 use Zend_Validate_Abstract;
+use Icinga\Web\Url;
 
 /**
  * Validator that checks whether a textfield doesn't contain an external URL

From ef7be98e0c29eeeb4b35933adb8e98edae0c8c66 Mon Sep 17 00:00:00 2001
From: Eric Lippmann <eric.lippmann@netways.de>
Date: Fri, 9 Sep 2016 15:22:24 +0200
Subject: [PATCH 4/4] Simplify InternalUrlValidator::isValid()

refs #11920
---
 .../Icinga/Web/Form/Validator/InternalUrlValidator.php    | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/library/Icinga/Web/Form/Validator/InternalUrlValidator.php b/library/Icinga/Web/Form/Validator/InternalUrlValidator.php
index 8876f562b..07726824a 100644
--- a/library/Icinga/Web/Form/Validator/InternalUrlValidator.php
+++ b/library/Icinga/Web/Form/Validator/InternalUrlValidator.php
@@ -16,11 +16,13 @@ class InternalUrlValidator extends Zend_Validate_Abstract
      */
     public function isValid($value)
     {
-        $isExternal = Url::fromPath($value)->isExternal();
-        if ($isExternal) {
+        if (Url::fromPath($value)->isExternal()) {
             $this->_error('IS_EXTERNAL');
+
+            return false;
         }
-        return ! $isExternal;
+
+        return true;
     }
 
     /**