From e47f5e759b92fb04156b2fd171dbe7d300e805ec Mon Sep 17 00:00:00 2001
From: Lauri Eskola <lauri.eskola@acquia.com>
Date: Fri, 17 Mar 2023 10:47:14 +0200
Subject: [PATCH] Issue #2843992 by smustgrave, jasonawant, moshnoi, alexpott:
 Block page visibility paths are not validated, using path a without leading
 forward slash does not work

---
 .../block/tests/src/Functional/BlockTest.php        | 11 +++++++++++
 .../system/src/Plugin/Condition/RequestPath.php     | 13 +++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/core/modules/block/tests/src/Functional/BlockTest.php b/core/modules/block/tests/src/Functional/BlockTest.php
index 2e16a24d618f..e68f58bc4413 100644
--- a/core/modules/block/tests/src/Functional/BlockTest.php
+++ b/core/modules/block/tests/src/Functional/BlockTest.php
@@ -244,6 +244,17 @@ public function testBlock() {
     $xpath = $this->assertSession()->buildXPathQuery('//div[@id=:id]/*', [':id' => 'block-' . str_replace('_', '-', strtolower($block['id']))]);
     $this->assertSession()->elementNotExists('xpath', $xpath);
 
+    $pages = [
+      '',
+      '<front>',
+      '/valid-page',
+      'user/login',
+    ];
+    // Test error when not including forward slash.
+    $this->drupalGet('admin/structure/block/manage/' . $block['id']);
+    $this->submitForm(['visibility[request_path][pages]' => implode("\n", $pages)], 'Save block');
+    $this->assertSession()->pageTextContains('The path user/login requires a leading forward slash when used with the Pages setting.');
+
     // Test deleting the block from the edit form.
     $this->drupalGet('admin/structure/block/manage/' . $block['id']);
     $this->clickLink('Remove block');
diff --git a/core/modules/system/src/Plugin/Condition/RequestPath.php b/core/modules/system/src/Plugin/Condition/RequestPath.php
index 796277986b8c..9b4bd474d1a7 100644
--- a/core/modules/system/src/Plugin/Condition/RequestPath.php
+++ b/core/modules/system/src/Plugin/Condition/RequestPath.php
@@ -112,6 +112,19 @@ public function buildConfigurationForm(array $form, FormStateInterface $form_sta
     return parent::buildConfigurationForm($form, $form_state);
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function validateConfigurationForm(array &$form, FormStateInterface $form_state) {
+    $paths = array_map('trim', explode("\n", $form_state->getValue('pages')));
+    foreach ($paths as $path) {
+      if (empty($path) || $path === '<front>' || str_starts_with($path, '/')) {
+        continue;
+      }
+      $form_state->setErrorByName('pages', $this->t("The path %path requires a leading forward slash when used with the Pages setting.", ['%path' => $path]));
+    }
+  }
+
   /**
    * {@inheritdoc}
    */
-- 
GitLab