Merge pull request #133 from lkrapf/fix/xss-protocol-relative-url

fix: prevent protocol-relative URLs in fragment loader (#132)

Author: rofe

blocks/fragment/fragment.js

@@ -18,7 +18,7 @@ import {
  * @returns {Promise<HTMLElement>} The root element of the fragment
  */
 export async function loadFragment(path) {
-  if (path && path.startsWith('/')) {
+  if (path && path.startsWith('/') && !path.startsWith('//')) {
     const resp = await fetch(`${path}.plain.html`);
     if (resp.ok) {
       const main = document.createElement('main');