Merge remote-tracking branch 'origin' into feature/test-update

src/MinisiteInterface.php

@@ -25,12 +25,12 @@ interface MinisiteInterface {
   /**
    * Default allowed extensions.
    */
-  const ALLOWED_EXTENSIONS = 'html htm js css png jpg gif svg pdf doc docx ppt pptx xls xlsx tif xml txt woff woff2 ttf eot ico';
+  const ALLOWED_EXTENSIONS = 'html htm js css png jpg gif svg pdf docx ppt pptx xls xlsx tif xml txt woff woff2 ttf eot ico';
 
   /**
    * Extensions that can never be allowed.
    */
-  const DENIED_EXTENSIONS = 'exe scr bmp';
+  const DENIED_EXTENSIONS = 'exe scr bmp php doc rtf';
 
   /**
    * Archive extensions supported by the current implementation.

src/Plugin/Field/FieldType/MinisiteItem.php

@@ -174,14 +174,19 @@ class MinisiteItem extends FileItem {
 
   /**
    * Check that entered extensions are not in the denied extensions list.
+   *
+   * By default, this list is defined in MinisiteInterface.php but can
+   * be overriden by creating an environment variable file '.env' and creating
+   * an environment variable DENIED_EXTENSIONS. E.g:
+   *
+   * DENIED_EXTENSIONS="exe php bat"
    */
   public static function validateNoDeniedExtensions($element, FormStateInterface $form_state) {
     if (!empty($element['#value'])) {
       $extensions = preg_replace('/([, ]+\.?)/', ' ', trim(strtolower($element['#value'])));
       $extensions = array_filter(explode(' ', $extensions));
-
-      $denied_extensions = explode(' ', MinisiteInterface::DENIED_EXTENSIONS);
-
+      $denied_extensions = getenv('DENIED_EXTENSIONS') ?: MinisiteInterface::DENIED_EXTENSIONS;
+      $denied_extensions = explode(' ', $denied_extensions);
       $invalid_extensions = array_intersect($extensions, $denied_extensions);
       if (count($invalid_extensions) > 0) {
         $form_state->setError($element, t('The list of allowed extensions is not valid, be sure to not include %ext extension(s).', ['%ext' => implode(', ', $invalid_extensions)]));