From be4ace0a0433165c1f4665832e594d77870ce215 Mon Sep 17 00:00:00 2001
From: Blacky Cat <kallup-dev@web.de>
Date: Tue, 28 Oct 2025 11:42:58 +0100
Subject: [PATCH] Potential fix for code scanning alert no. 56: Client-side URL
 redirect

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/doc/files/js/chmRelative.js | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/doc/files/js/chmRelative.js b/src/doc/files/js/chmRelative.js
index 348dd29..f32a893 100644
--- a/src/doc/files/js/chmRelative.js
+++ b/src/doc/files/js/chmRelative.js
@@ -1 +1,12 @@
-function relativelnk(a){var b,c;b=location.href.search(/:/)==2?14:7;c=location.href.lastIndexOf("\\")+1;a="file:///"+location.href.substring(b,c)+a;location.href=a};
\ No newline at end of file
+function relativelnk(a){
+    // Simple path validation: allow only relative filenames (no slashes, no colon, no protocol)
+    if (typeof a !== 'string' || a.match(/^[a-zA-Z0-9_.-]+$/) === null) {
+        console.error('Invalid path for redirect');
+        return;
+    }
+    var b, c;
+    b = location.href.search(/:/)==2 ? 14 : 7;
+    c = location.href.lastIndexOf("\\")+1;
+   a = "file:///" + location.href.substring(b, c) + a;
+   location.href = a;
+};
\ No newline at end of file