From ed99c3237f5d1d9d67a2e0a12f72e3f55a47f080 Mon Sep 17 00:00:00 2001
From: th0r <grunin.ya@ya.ru>
Date: Thu, 11 Apr 2019 13:44:42 +0300
Subject: [PATCH 1/3] Use relative links for serving internal assets

---
 src/viewer.js    | 9 ++++++++-
 views/script.ejs | 2 +-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/viewer.js b/src/viewer.js
index ae4ab261..564039ac 100644
--- a/src/viewer.js
+++ b/src/viewer.js
@@ -14,6 +14,7 @@ const Logger = require('./Logger');
 const analyzer = require('./analyzer');
 
 const projectRoot = path.resolve(__dirname, '..');
+const assetsRoot = path.join(projectRoot, 'public');
 
 module.exports = {
   startServer,
@@ -169,7 +170,13 @@ async function generateReport(bundleStats, opts) {
 }
 
 function getAssetContent(filename) {
-  return fs.readFileSync(`${projectRoot}/public/${filename}`, 'utf8');
+  const assetPath = path.join(assetsRoot, filename);
+
+  if (!assetPath.startsWith(assetsRoot)) {
+    throw new Error(`"${filename}" is outside of the assets root`);
+  }
+
+  return fs.readFileSync(assetPath, 'utf8');
 }
 
 /**
diff --git a/views/script.ejs b/views/script.ejs
index 718c954f..37976abf 100644
--- a/views/script.ejs
+++ b/views/script.ejs
@@ -4,5 +4,5 @@
     <%- escapeScript(assetContent(filename)) %>
   </script>
 <% } else { %>
-  <script src="/<%= filename %>"></script>
+  <script src="<%= filename %>"></script>
 <% } %>

From 21722d28183314c88ca414f2b5c21179adc86875 Mon Sep 17 00:00:00 2001
From: th0r <grunin.ya@ya.ru>
Date: Thu, 11 Apr 2019 13:52:57 +0300
Subject: [PATCH 2/3] Add changelog entry

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a818689b..5730d921 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,8 @@ _Note: Gaps between patch versions are faulty, broken or test releases._
 ## UNRELEASED
 
 <!-- Add changelog entries for new changes under this section -->
+ * **Improvements**
+   * Use relative links for serving internal assets ([#261](https://github.com/webpack-contrib/webpack-bundle-analyzer/pull/261), fixes [#254](https://github.com/webpack-contrib/webpack-bundle-analyzer/issues/254))
 
  * **Improvements**
    * Properly escape embedded JS/JSON ([#262](https://github.com/webpack-contrib/webpack-bundle-analyzer/pull/262))

From 99818f9238a5f97a63f604bacd13bcd4a1738cc4 Mon Sep 17 00:00:00 2001
From: th0r <grunin.ya@ya.ru>
Date: Thu, 11 Apr 2019 13:56:50 +0300
Subject: [PATCH 3/3] Fix changelog

---
 CHANGELOG.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5730d921..b204a045 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,10 +13,9 @@ _Note: Gaps between patch versions are faulty, broken or test releases._
 ## UNRELEASED
 
 <!-- Add changelog entries for new changes under this section -->
- * **Improvements**
-   * Use relative links for serving internal assets ([#261](https://github.com/webpack-contrib/webpack-bundle-analyzer/pull/261), fixes [#254](https://github.com/webpack-contrib/webpack-bundle-analyzer/issues/254))
 
  * **Improvements**
+   * Use relative links for serving internal assets ([#261](https://github.com/webpack-contrib/webpack-bundle-analyzer/pull/261), fixes [#254](https://github.com/webpack-contrib/webpack-bundle-analyzer/issues/254))
    * Properly escape embedded JS/JSON ([#262](https://github.com/webpack-contrib/webpack-bundle-analyzer/pull/262))
 
  * **Bug Fix**