Don't load external domains in iframe

1 files changed, 3 insertions, 1 deletions

diff --git a/index.php b/index.php
index 6b9bd5c..be7c9d8 100644
--- a/index.php
+++ b/index.php
@@ -173,7 +173,9 @@ if (count($_GET) == 0) {
 } else {
   $iframe = substr($_SERVER['REQUEST_URI'], strpos($_SERVER['REQUEST_URI'], '?') + 1);
 
-  if (strpos($iframe, '&') !== false) {
+  if (strpos($iframe, '//') === 0 || strpos($iframe, 'http') === 0) {
+    $iframe = 'overview.php';
+  } else if (strpos($iframe, '&') !== false) {
     $iframe = substr_replace($iframe, '.php?', strpos($iframe, '&'), 1);
   } else {
     $iframe .= '.php';