Merge pull request #9518 from DSpace/backport-9289-to-dspace-7_x

[Port dspace-7_x] Validation of page url in FeedbackRestRepository

dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/FeedbackRestRepository.java

@@ -79,8 +79,14 @@ public class FeedbackRestRepository extends DSpaceRestRepository<FeedbackRest, I
             throw new DSpaceBadRequestException("e-mail and message fields are mandatory!");
         }
 
+        String pageUrl = feedbackRest.getPage();
+        String urlPrefix = configurationService.getProperty("dspace.ui.url");
+        if (StringUtils.isNotBlank(pageUrl) && ! StringUtils.startsWith(pageUrl, urlPrefix)) {
+            throw new DSpaceBadRequestException("unexpected page url was submitted");
+        }
+
         try {
-            feedbackService.sendEmail(context, req, recipientEmail, senderEmail, message, feedbackRest.getPage());
+            feedbackService.sendEmail(context, req, recipientEmail, senderEmail, message, pageUrl);
         } catch (IOException | MessagingException e) {
             throw new RuntimeException(e.getMessage(), e);
         }
@@ -100,4 +106,4 @@ public class FeedbackRestRepository extends DSpaceRestRepository<FeedbackRest, I
         this.feedbackService = feedbackService;
     }
 
-}
+}