From aad020511f12ad5c2dfd9859a52b1c8618be198d Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Fri, 21 Feb 2025 16:33:57 +0100
Subject: [PATCH] js: Only load URLs prefixed by the base URL

---
 public/js/icinga/loader.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/public/js/icinga/loader.js b/public/js/icinga/loader.js
index a4bff4dba..c82f9411e 100644
--- a/public/js/icinga/loader.js
+++ b/public/js/icinga/loader.js
@@ -242,6 +242,10 @@
         loadUrl: function (url, $target, data, method, action, autorefresh, progressTimer, extraHeaders) {
             var id = null;
 
+            if (url.startsWith('//') || ! url.startsWith(this.baseUrl + '/')) {
+                throw new Error('URL ' + url + ' is not relative to ' + this.baseUrl);
+            }
+
             // Default method is GET
             if ('undefined' === typeof method) {
                 method = 'GET';