Second attempt

CatoTH · CatoTH · commit 728f73421254 · 2026-06-17T17:01:03.000-04:00
diff --git a/assets/gulpfile.vue.js b/assets/gulpfile.vue.js
@@ -99,7 +99,7 @@ function transformVueSfc(source, filePath, vueUrl) {
             .replace(/\\/g, '\\\\')   // escape backslashes FIRST
             .replace(/`/g, '\\`')      // then escape backticks
             .replace(/\$\{/g, '\\${'); // and escape template literal interpolation
-        
+
         parts.push(`
 (function injectStyles() {
   const el = document.createElement('style');
diff --git a/web/js/modules/backend/AppearanceEdit.js b/web/js/modules/backend/AppearanceEdit.js
@@ -49,7 +49,12 @@ export class AppearanceEdit {
             }
 
             const parsed = new URL(editLinkDefault.replace(/DEFAULT/, $selected.val()), window.location.origin);
-            $editLink.attr("href", parsed.pathname + parsed.search);
+            const path = parsed.pathname + parsed.search;
+            if (/^\/[a-zA-Z0-9\-_\/?=&.]*$/.test(path)) {
+                $editLink.attr("href", path);
+            } else {
+                console.error("Rejected unsafe redirect path:", path);
+            }
         };
         $inputs.on("change", onChange);
         onChange();
diff --git a/web/js/modules/backend/MotionList.js b/web/js/modules/backend/MotionList.js
@@ -96,7 +96,12 @@ export class MotionList {
                         link = link.replace("REPLACED", replaced);
                         link = link.replace("MOTIONTYPES", motionTypes.join(","));
                         const url = new URL(link, window.location.origin);
-                        $(this).attr("href", url.pathname + url.search);
+                        const path = url.pathname + url.search;
+                        if (/^\/[a-zA-Z0-9\-_\/?=&.]*$/.test(path)) {
+                            $(this).attr("href", path);
+                        } else {
+                            console.error("Rejected unsafe redirect path:", path);
+                        }
                     });
                 };
             $dd.find("input[type=checkbox]").on("change", recalcLinks).trigger("change");
diff --git a/web/js/modules/shared/SiteCreateWizard.js b/web/js/modules/shared/SiteCreateWizard.js
@@ -313,7 +313,13 @@ export class SiteCreateWizard {
         $form.find("#panelLanguage input").on("change", function () {
             const val = /** @type {string} */ ($form.find("#panelLanguage input:checked").val());
             const url = new URL($form.find("#panelLanguage").data("url").replace(/LNG/, val), window.location.origin);
-            window.location.href = url.pathname + url.search;
+            const path = url.pathname + url.search;
+
+            if (/^\/[a-zA-Z0-9\-_\/?=&.]*$/.test(path)) {
+                window.location.href = path;
+            } else {
+                console.error("Rejected unsafe redirect path:", path);
+            }
         });
 
         // The enter key should not submit the form, but lead to the next panel
