template: getPartPath(): Ensure return path isn't outside template dir

user-input to this function might become possible soon

template.cpp

@@ -18,6 +18,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 */
+#include <filesystem>
 #include "template.h"
 #include "varreplacer.h"
 #include "urlprovider.h"
@@ -47,9 +48,15 @@ TemplatePage Template::getPage(const std::string &pagename)
 
 std::string Template::getPartPath(std::string_view partname)
 {
-	// TODO: utils::concatPath? C++17 paths?
+	auto absolute_path = std::filesystem::canonical(std::filesystem::path{this->templatepath} / partname);
-	return this->templatepath + "/" + std::string(partname);
+	std::string result = absolute_path.string();
+	if(result.starts_with(this->templatepath))
+	{
+		return result;
 	}
+	return "";
+}
+
 std::string Template::loadPartContent(std::string_view partname)
 {
 	std::string partpath = getPartPath(partname);