You are here

Home » API reference » Drupal 9 » MediaSettingsForm.php » MediaSettingsForm

public function MediaSettingsForm::buildForm in Drupal 9

Same name and namespace in other branches
  1. 8 core/modules/media/src/Form/MediaSettingsForm.php \Drupal\media\Form\MediaSettingsForm::buildForm()
  2. 10 core/modules/media/src/Form/MediaSettingsForm.php \Drupal\media\Form\MediaSettingsForm::buildForm()

Form constructor.

Parameters

array $form: An associative array containing the structure of the form.

\Drupal\Core\Form\FormStateInterface $form_state: The current state of the form.

Return value

array The form structure.

Overrides ConfigFormBase::buildForm

File

core/modules/media/src/Form/MediaSettingsForm.php, line 77

Class

MediaSettingsForm
Provides a form to configure Media settings.

Namespace

Drupal\media\Form

Code

public function buildForm(array $form, FormStateInterface $form_state) {
  $domain = $this
    ->config('media.settings')
    ->get('iframe_domain');
  if (!$this->iFrameUrlHelper
    ->isSecure($domain)) {
    $message = $this
      ->t('It is potentially insecure to display oEmbed content in a frame that is served from the same domain as your main Drupal site, as this may allow execution of third-party code. Refer to <a href="https://oembed.com/#section3">oEmbed Security Considerations</a>.');
    $this
      ->messenger()
      ->addWarning($message);
  }
  $description = '<p>' . $this
    ->t('Displaying media assets from third-party services, such as YouTube or Twitter, can be risky. This is because many of these services return arbitrary HTML to represent those assets, and that HTML may contain executable JavaScript code. If handled improperly, this can increase the risk of your site being compromised.') . '</p>';
  $description .= '<p>' . $this
    ->t('In order to mitigate the risks, third-party assets are displayed in an iFrame, which effectively sandboxes any executable code running inside it. For even more security, the iFrame can be served from an alternate domain (that also points to your Drupal site), which you can configure on this page. This helps safeguard cookies and other sensitive information.') . '</p>';
  $form['security'] = [
    '#type' => 'details',
    '#title' => $this
      ->t('Security'),
    '#description' => $description,
    '#open' => TRUE,
  ];

  // @todo Figure out how and if we should validate that this domain actually
  // points back to Drupal.
  // See https://www.drupal.org/project/drupal/issues/2965979 for more info.
  $form['security']['iframe_domain'] = [
    '#type' => 'url',
    '#title' => $this
      ->t('iFrame domain'),
    '#size' => 40,
    '#maxlength' => 255,
    '#default_value' => $domain,
    '#description' => $this
      ->t('Enter a different domain from which to serve oEmbed content, including the <em>http://</em> or <em>https://</em> prefix. This domain needs to point back to this site, or existing oEmbed content may not display correctly, or at all.'),
  ];
  $form['security']['standalone_url'] = [
    '#prefix' => '<hr>',
    '#type' => 'checkbox',
    '#title' => $this
      ->t('Standalone media URL'),
    '#default_value' => $this
      ->config('media.settings')
      ->get('standalone_url'),
    '#description' => $this
      ->t("Allow users to access @media-entities at /media/{id}.", [
      '@media-entities' => $this->entityTypeManager
        ->getDefinition('media')
        ->getPluralLabel(),
    ]),
  ];
  return parent::buildForm($form, $form_state);
}