Issue #3324210 by robphillips: Validate cancel and delete link URLs.

namespace Drupal\entity_form_steps\Form;

use Drupal\Component\Utility\SortArray;

use Drupal\Component\Utility\UrlHelper;

use Drupal\Core\Form\FormStateInterface;

use Drupal\Core\Render\Markup;

use Drupal\Core\Url;

        $url = \Drupal::token()->replace($step['format_settings']['delete_path'], [

          $entity->getEntityTypeId() => $entity,

        ]);

        if (UrlHelper::isValid($url, TRUE)) {

          $form['actions']['delete']['#url'] = Url::fromUri($url);

        }

        else {

          $form['actions']['delete']['#url'] = Url::fromUserInput($url);

        }

      }

      if ($step['format_settings']['delete_button']) {

        $form['actions']['delete']['#title'] = $step['format_settings']['delete_button'];

      }

    // Redirect to specified route if configured.

    if ($step['format_settings']['cancel_path']) {

      return Url::fromUserInput(\Drupal::token()->replace($step['format_settings']['cancel_path'], [

      $url = \Drupal::token()->replace($step['format_settings']['cancel_path'], [

        $entity->getEntityTypeId() => $entity,

      ]));

      ]);

      if (UrlHelper::isValid($url, TRUE)) {

        return Url::fromUri($url);

      }

      return Url::fromUserInput($url);

    }

    // Redirect to the existing entity canonical route.

    elseif ($entity->id()) {

namespace Drupal\entity_form_steps\Plugin\field_group\FieldGroupFormatter;

use Drupal\Component\Utility\UrlHelper;

use Drupal\Core\Form\FormStateInterface;

use Drupal\field_group\FieldGroupFormatterBase;

/**

      '#type' => 'textfield',

      '#title' => $this->t('Cancel button URL'),

      '#description' => $this->t('Override the cancel button link URL. Defaults to the entity canonical route.'),

      '#element_validate' => [[static::class, 'validateUrl']],

      '#default_value' => $this->getSetting('cancel_path'),

      '#group' => 'routes',

      '#states' => [

    $form['delete_path'] = [

      '#type' => 'textfield',

      '#title' => $this->t('Delete button URL'),

      '#element_validate' => [[static::class, 'validateUrl']],

      '#description' => $this->t('Override the delete button link URL. Defaults to the entity delete route.'),

      '#default_value' => $this->getSetting('delete_path'),

      '#group' => 'routes',

    return $form;

  }

  /**

   * Validate proper external or internal URL.

   */

  public static function validateUrl(array $element, FormStateInterface $form_state): void {

    if ($element['#value']) {

      if ($url = \Drupal::service('path.validator')->getUrlIfValid($element['#value'])) {

        $form_state->setValueForElement($element, $url->toString());

      }

      elseif (!UrlHelper::isValid($element['#value'], TRUE) && !preg_match('/^\//', $element['#value'])) {

        $form_state->setError($element, t('The URL must be begin with a forward slash or be external.'));

      }

      elseif (!UrlHelper::isValid($element['#value'])) {

        $form_state->setError($element, t('The URL does not exist or is invalid.'));

      }

    }

  }

}