Werk #19817: Dashboard widgets: validate Title URL on input
| Component | User interface | ||||
| Title | Dashboard widgets: validate Title URL on input | ||||
| Date | May 5, 2026 | ||||
| Level | Trivial Change | ||||
| Class | Bug Fix | ||||
| Compatibility | Compatible - no manual interaction needed | ||||
| Checkmk versions & editions |
|
Previously, the Link title to field of a dashboard widget accepted nearly any input. If the value wasn't actually a valid URL, it was silently dropped on save without any feedback, and the widget ended up saved without the link you wanted.
You now get live feedback while you type: the error Value must be a
valid URL appears on the field as soon as the entered value isn't a
valid URL, and disappears the moment it becomes valid again — no need
to click save first. Valid inputs are HTTP(S) URLs (e.g.
https://example.com/path) and internal Checkmk URLs (e.g.
view.py?label=cmk/os:linux). Schemes such as javascript: and
data: and characters with HTML/JS meaning (<, >, ", `)
are rejected.
This is a follow-up to Werk #19033 (CVE-2026-3466), which sanitized the title link on the server side. The new frontend validation gives you immediate feedback instead of a silent strip on save.