dashboard/new-dashlet: don't allow external URLs

refs #11920

application/forms/Dashboard/DashletForm.php

@@ -3,6 +3,7 @@
 
 namespace Icinga\Forms\Dashboard;
 
+use Icinga\Web\Form\Validator\InternalUrlValidator;
 use Icinga\Web\Widget\Dashboard;
 use Icinga\Web\Form;
 use Icinga\Web\Form\Validator\UrlValidator;
@@ -70,7 +71,7 @@ class DashletForm extends Form
                 'description'   => $this->translate(
                     'Enter url being loaded in the dashlet. You can paste the full URL, including filters.'
                 ),
-                'validators'    => array(new UrlValidator())
+                'validators'    => array(new UrlValidator(), new InternalUrlValidator())
             )
         );
         $this->addElement(

library/Icinga/Web/Form/Validator/InternalUrlValidator.php

@@ -0,0 +1,37 @@
+<?php
+/* Icinga Web 2 | (c) 2016 Icinga Development Team | GPLv2+ */
+
+namespace Icinga\Web\Form\Validator;
+
+use Icinga\Web\Url;
+use Zend_Validate_Abstract;
+
+/**
+ * Validator that checks whether a textfield doesn't contain an external URL
+ */
+class InternalUrlValidator extends Zend_Validate_Abstract
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function isValid($value)
+    {
+        $isExternal = Url::fromPath($value)->isExternal();
+        if ($isExternal) {
+            $this->_error('IS_EXTERNAL');
+        }
+        return ! $isExternal;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function _error($messageKey, $value = null)
+    {
+        if ($messageKey === 'IS_EXTERNAL') {
+            $this->_messages[$messageKey] = t('The url must not be external.');
+        } else {
+            parent::_error($messageKey, $value);
+        }
+    }
+}