Werk #19985: Dashboard widgets: reject disallowed title URLs on save
| Component | User interface | ||||
| Title | Dashboard widgets: reject disallowed title URLs on save | ||||
| Date | Jun 12, 2026 | ||||
| Level | Trivial Change | ||||
| Class | Bug Fix | ||||
| Compatibility | Compatible - no manual interaction needed | ||||
| Checkmk versions & editions |
|
A widget title can link to a URL, for which only the http and https schemes are allowed.
Previously the REST API accepted a title link URL with any scheme on write and only dropped a
disallowed one when reading the dashboard back (see Werk #19583),
so the rejected value was still written to the stored configuration. The REST API now rejects such
a URL (for example javascript:) at save time with a validation error, so it never reaches the
stored configuration.
API clients that previously sent such a URL received a successful response (the value was then dropped on read) they now receive a 400 error instead.