public function SecKitSettingsForm::validateForm in Security Kit 8
Same name and namespace in other branches
- 2.x src/Form/SecKitSettingsForm.php \Drupal\seckit\Form\SecKitSettingsForm::validateForm()
Form validation handler.
Parameters
array $form: An associative array containing the structure of the form.
\Drupal\Core\Form\FormStateInterface $form_state: The current state of the form.
Overrides FormBase::validateForm
File
- src/
Form/ SecKitSettingsForm.php, line 734
Class
- SecKitSettingsForm
- Implements a form to collect security check configuration.
Namespace
Drupal\seckit\FormCode
public function validateForm(array &$form, FormStateInterface $form_state) {
// If From-Origin is enabled, it should be explicitly set.
$from_origin_enable = $form_state
->getValue([
'seckit_various',
'from_origin',
]);
$from_origin_destination = $form_state
->getValue([
'seckit_various',
'from_origin_destination',
]);
if ($from_origin_enable && !$from_origin_destination) {
$form_state
->setErrorByName('seckit_various][from_origin_destination', $this
->t('You have to set up trustworthy destination for From-Origin HTTP response header. Default is same.'));
}
// If X-Frame-Options is set to ALLOW-FROM, it should be explicitly set.
$x_frame_value = $form_state
->getValue([
'seckit_clickjacking',
'x_frame',
]);
if ($x_frame_value == SeckitInterface::X_FRAME_ALLOW_FROM) {
$x_frame_allow_from = $form_state
->getValue([
'seckit_clickjacking',
'x_frame_allow_from',
]);
if (!$this
->seckitExplodeValue($x_frame_allow_from)) {
$form_state
->setErrorByName('seckit_clickjacking][x_frame_allow_from', $this
->t('You must specify a trusted Origin for the ALLOW-FROM value of the X-Frame-Options HTTP response header.'));
}
}
// If HTTP Strict Transport Security is enabled, max-age must be specified.
// HSTS max-age should only contain digits.
$hsts = $form_state
->getValue([
'seckit_ssl',
'hsts',
]);
$hsts_max_age = $form_state
->getValue([
'seckit_ssl',
'hsts_max_age',
]);
if ($hsts && !$hsts_max_age) {
$form_state
->setErrorByName('seckit_ssl][hsts_max_age', $this
->t('You have to set up Max-Age value for HTTP Strict Transport Security. Default is 1000.'));
}
if (preg_match('/[^0-9]/', $hsts_max_age)) {
$form_state
->setErrorByName('seckit_ssl][hsts_max_age', $this
->t('Only digits are allowed in HTTP Strict Transport Security Max-Age field.'));
}
// If JS + CSS + Noscript Clickjacking protection is enabled,
// custom text for disabled JS must be specified.
$js_css_noscript_enable = $form_state
->getValue([
'seckit_clickjacking',
'js_css_noscript',
]);
$noscript_message = $form_state
->getValue([
'seckit_clickjacking',
'noscript_message',
]);
if ($js_css_noscript_enable && !$noscript_message) {
$form_state
->setErrorByName('seckit_clickjacking][noscript_message', $this
->t('You have to set up Custom text for disabled JavaScript message when JS + CSS + Noscript protection is enabled.'));
}
// Check the value of CSP report-uri seems valid.
$report_uri = $form_state
->getValue([
'seckit_xss',
'csp',
'report-uri',
]);
if (UrlHelper::isExternal($report_uri)) {
// UrlHelper::isValid will reject URIs beginning with '//' (i.e. without a
// scheme). So add a fake scheme just for validation.
if (strpos($report_uri, '//') === 0) {
$report_uri = 'https:' . $report_uri;
}
if (!UrlHelper::isValid($report_uri)) {
$form_state
->setErrorByName('seckit_xss][csp][report-uri', $this
->t('The CSP report-uri seems absolute but does not seem to be a valid URI.'));
}
}
else {
// Check that the internal path seems valid.
if (!(bool) $this->pathValidator
->getUrlIfValidWithoutAccessCheck($report_uri)) {
$form_state
->setErrorByName('seckit_xss][csp][report-uri', $this
->t('The CSP report-uri seems relative but does not seem to be a valid path.'));
}
}
}