Disallow absolute URLs in frames anchor handling

lsegal · Sep 18, 2013 · 98f538a · 98f538a
1 parent 204daf9
commit 98f538a
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/templates/default/fulldoc/html/frames.erb b/templates/default/fulldoc/html/frames.erb
@@ -10,6 +10,7 @@
 window.onload = function() {
   var match = unescape(window.location.hash).match(/^#!(.+)/);
   var name = match ? match[1] : '<%= url_for_main %>';
+  name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, '');
   document.writeln('<frameset cols="20%,*">' +
     '<frame name="list" src="<%= url_for_list('class') %>" />' +
     '<frame name="main" src="' + escape(name) + '" />' +