function seckit_admin_form_validate in Security Kit 7

Same name and namespace in other branches

1. 6 includes/seckit.form.inc \seckit_admin_form_validate()

Validates form data.

1 string reference to 'seckit_admin_form_validate'

seckit_admin_form in includes/seckit.form.inc

Forms administration page.

File

includes/seckit.form.inc, line 714

Administrative interface for SecKit settings.

Code

function seckit_admin_form_validate($form, &$form_state) {

  // Check validity of CSP report-uri when CSP headers are on.
  $is_csp_header_enabled = $form_state['values']['seckit_xss']['csp']['checkbox'];
  $report_uri = $form_state['values']['seckit_xss']['csp']['report-uri'];

  // Ignore empty report-uri as it will be filled in by the default later.
  if ($is_csp_header_enabled and !empty($report_uri) and !drupal_valid_path($report_uri)) {
    form_error($form['seckit_xss']['csp']['report-uri'], t('Non-existent path for report-uri given: %uri', array(
      '%uri' => $report_uri,
    )));
  }

  // if From-Origin is enabled, it should be explicitly set
  $from_origin_enable = $form_state['values']['seckit_various']['from_origin'];
  $from_origin_destination = $form_state['values']['seckit_various']['from_origin_destination'];
  if ($from_origin_enable == 1 && !$from_origin_destination) {
    form_error($form['seckit_various']['from_origin_destination'], t('You have to set up trustworthy destination for From-Origin HTTP response header. Default is same.'));
  }

  // if X-Frame-Options is set to ALLOW-FROM, it should be explicitly set
  $x_frame_value = $form_state['values']['seckit_clickjacking']['x_frame'];
  if ($x_frame_value == SECKIT_X_FRAME_ALLOW_FROM) {
    $x_frame_allow_from = $form_state['values']['seckit_clickjacking']['x_frame_allow_from'];
    if (!_seckit_explode_value($x_frame_allow_from)) {
      form_error($form['seckit_clickjacking']['x_frame_allow_from'], t('You must specify a trusted Origin for the ALLOW-FROM value of the X-Frame-Options HTTP response header.'));
    }
  }

  // if HTTP Strict Transport Security is enabled, max-age must be specified.
  // HSTS max-age should only contain digits.
  $hsts_enable = $form_state['values']['seckit_ssl']['hsts'];
  $hsts_max_age = $form_state['values']['seckit_ssl']['hsts_max_age'];
  if ($hsts_enable == 1 && !$hsts_max_age) {
    form_error($form['seckit_ssl']['hsts_max_age'], t('You have to set up Max-Age value for HTTP Strict Transport Security. Default is 1000.'));
  }
  if (preg_match('/[^0-9]/', $hsts_max_age)) {
    form_error($form['seckit_ssl']['hsts_max_age'], t('Only digits are allowed in HTTP Strict Transport Security Max-Age field.'));
  }

  // if JS + CSS + Noscript Clickjacking protection is enabled,
  // custom text for disabled JS must be specified
  $js_css_noscript_enable = $form_state['values']['seckit_clickjacking']['js_css_noscript'];
  $noscript_message = $form_state['values']['seckit_clickjacking']['noscript_message'];
  if ($js_css_noscript_enable == 1 && !$noscript_message) {
    form_error($form['seckit_clickjacking']['noscript_message'], t('You have to set up Custom text for disabled JavaScript message when JS + CSS + Noscript protection is enabled.'));
  }
}