dashboard/new-dashlet: don't allow external URLs

refs #11920
2016-08-31 15:11:55 +02:00 · 2016-08-31 15:11:55 +02:00 · fa113e023b
parent 1993ae2ed2
commit fa113e023b
2 changed files with 39 additions and 1 deletions
--- a/application/forms/Dashboard/DashletForm.php
+++ b/application/forms/Dashboard/DashletForm.php
@ -3,6 +3,7 @@

 namespace Icinga\Forms\Dashboard;

+use Icinga\Web\Form\Validator\InternalUrlValidator;
 use Icinga\Web\Widget\Dashboard;
 use Icinga\Web\Form;
 use Icinga\Web\Form\Validator\UrlValidator;
@ -70,7 +71,7 @@ class DashletForm extends Form
                'description'   => $this->translate(
                    'Enter url being loaded in the dashlet. You can paste the full URL, including filters.'
                ),
-                'validators'    => array(new UrlValidator())
+                'validators'    => array(new UrlValidator(), new InternalUrlValidator())
            )
        );
        $this->addElement(
--- a/library/Icinga/Web/Form/Validator/InternalUrlValidator.php
+++ b/library/Icinga/Web/Form/Validator/InternalUrlValidator.php
@ -0,0 +1,37 @@
+<?php
+/* Icinga Web 2 | (c) 2016 Icinga Development Team | GPLv2+ */
+
+namespace Icinga\Web\Form\Validator;
+
+use Icinga\Web\Url;
+use Zend_Validate_Abstract;
+
+/**
+ * Validator that checks whether a textfield doesn't contain an external URL
+ */
+class InternalUrlValidator extends Zend_Validate_Abstract
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function isValid($value)
+    {
+        $isExternal = Url::fromPath($value)->isExternal();
+        if ($isExternal) {
+            $this->_error('IS_EXTERNAL');
+        }
+        return ! $isExternal;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function _error($messageKey, $value = null)
+    {
+        if ($messageKey === 'IS_EXTERNAL') {
+            $this->_messages[$messageKey] = t('The url must not be external.');
+        } else {
+            parent::_error($messageKey, $value);
+        }
+    }
+}