Skip to content
Snippets Groups Projects
Commit ff1433c4 authored by Drew Webber's avatar Drew Webber
Browse files

Issue #3340072 by mcdruid, penyaskito, dennis_meuwissen: Text fields not big enough

parent 6d32ad55
No related branches found
No related tags found
2 merge requests!38Issue #2286055 by unexpected token error,!18Issue #2286055 by luizsgpetri, kadubr, tzambotti, anavarre, typhonius,...
#seckit-settings-form textarea,
#seckit-settings-form input[type=text] {
width: 60em;
}
listener:
js:
js/seckit.listener.js: {}
admin-styles:
css:
theme:
css/seckit.admin.css: {}
......@@ -76,6 +76,7 @@ class SecKitSettingsForm extends ConfigFormBase {
*/
public function buildForm(array $form, FormStateInterface $form_state) {
$form['#attached']['library'][] = 'seckit/listener';
$form['#attached']['library'][] = 'seckit/admin-styles';
$config = $this->config('seckit.settings');
......@@ -188,104 +189,130 @@ class SecKitSettingsForm extends ConfigFormBase {
];
// CSP default-src directive.
$form['seckit_xss']['csp']['default-src'] = [
'#type' => 'textfield',
'#maxlength' => 1024,
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#default_value' => $config->get('seckit_xss.csp.default-src'),
'#title' => 'default-src',
'#description' => $this->t("Specify security policy for all types of content, which are not specified further (frame-ancestors excepted). Default is 'self'."),
];
// CSP script-src directive.
$form['seckit_xss']['csp']['script-src'] = [
'#type' => 'textfield',
'#maxlength' => 1024,
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#default_value' => $config->get('seckit_xss.csp.script-src'),
'#title' => 'script-src',
'#description' => $this->t('Specify trustworthy sources for <script> elements.'),
];
// CSP object-src directive.
$form['seckit_xss']['csp']['object-src'] = [
'#type' => 'textfield',
'#maxlength' => 1024,
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#default_value' => $config->get('seckit_xss.csp.object-src'),
'#title' => 'object-src',
'#description' => $this->t('Specify trustworthy sources for <object>, <embed> and <applet> elements.'),
];
// CSP style-src directive.
$form['seckit_xss']['csp']['style-src'] = [
'#type' => 'textfield',
'#maxlength' => 1024,
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#default_value' => $config->get('seckit_xss.csp.style-src'),
'#title' => 'style-src',
'#description' => $this->t('Specify trustworthy sources for stylesheets. Note, that inline stylesheets and style attributes of HTML elements are allowed.'),
];
// CSP img-src directive.
$form['seckit_xss']['csp']['img-src'] = [
'#type' => 'textfield',
'#maxlength' => 1024,
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#default_value' => $config->get('seckit_xss.csp.img-src'),
'#title' => 'img-src',
'#description' => $this->t('Specify trustworthy sources for <img> elements.'),
];
// CSP media-src directive.
$form['seckit_xss']['csp']['media-src'] = [
'#type' => 'textfield',
'#maxlength' => 1024,
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#default_value' => $config->get('seckit_xss.csp.media-src'),
'#title' => 'media-src',
'#description' => $this->t('Specify trustworthy sources for <audio> and <video> elements.'),
];
// CSP frame-src directive.
$form['seckit_xss']['csp']['frame-src'] = [
'#type' => 'textfield',
'#maxlength' => 1024,
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#default_value' => $config->get('seckit_xss.csp.frame-src'),
'#title' => 'frame-src',
'#description' => $this->t('Specify trustworthy sources for <iframe> and <frame> elements. This directive is deprecated and will be replaced by child-src. It is recommended to use the both the frame-src and child-src directives until all browsers you support recognize the child-src directive.'),
];
// CSP frame-ancestors directive.
$form['seckit_xss']['csp']['frame-ancestors'] = [
'#type' => 'textfield',
'#maxlength' => 1024,
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#default_value' => $config->get('seckit_xss.csp.frame-ancestors'),
'#title' => 'frame-ancestors',
'#description' => $this->t("Specify trustworthy hosts which are allowed to embed this site's resources via <iframe>, <frame>, <object>, <embed> and <applet> elements."),
];
// CSP child-src directive.
$form['seckit_xss']['csp']['child-src'] = [
'#type' => 'textfield',
'#maxlength' => 1024,
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#default_value' => $config->get('seckit_xss.csp.child-src'),
'#title' => 'child-src',
'#description' => $this->t('Specify trustworthy sources for <iframe> and <frame> elements as well as for loading Workers.'),
];
// CSP font-src directive.
$form['seckit_xss']['csp']['font-src'] = [
'#type' => 'textfield',
'#maxlength' => 1024,
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#default_value' => $config->get('seckit_xss.csp.font-src'),
'#title' => 'font-src',
'#description' => $this->t('Specify trustworthy sources for @font-src CSS loads.'),
];
// CSP connect-src directive.
$form['seckit_xss']['csp']['connect-src'] = [
'#type' => 'textfield',
'#maxlength' => 1024,
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#default_value' => $config->get('seckit_xss.csp.connect-src'),
'#title' => 'connect-src',
'#description' => $this->t('Specify trustworthy sources for XMLHttpRequest, WebSocket and EventSource connections.'),
];
// CSP report-uri directive.
$form['seckit_xss']['csp']['report-uri'] = [
'#type' => 'textfield',
'#maxlength' => 1024,
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#default_value' => $config->get('seckit_xss.csp.report-uri'),
'#title' => 'report-uri',
'#description' => $this->t('Specify a URL (can be relative to the Drupal root, or absolute) to which user-agents will report CSP violations. Use the default value, unless you have set up an alternative handler for these reports. Note that if you specify a custom relative path, it should typically be accessible by all users (including anonymous). Defaults to <code>@report-url</code> which logs the report data.', ['@report-url' => SeckitInterface::CSP_REPORT_URL]),
];
// CSP policy-uri directive.
$form['seckit_xss']['csp']['policy-uri'] = [
'#type' => 'textfield',
'#maxlength' => 1024,
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#default_value' => $config->get('seckit_xss.csp.policy-uri'),
'#title' => 'policy-uri',
'#description' => $this->t("Specify a URL (relative to the Drupal root) for a file containing the (entire) policy. <strong>All other directives will be omitted</strong> by Security Kit, as <code>policy-uri</code> may only be defined in the <em>absence</em> of other policy definitions in the <code>X-Content-Security-Policy</code> HTTP header. The MIME type for this URI <strong>must</strong> be <code>text/x-content-security-policy</code>, otherwise user-agents will enforce the policy <code>allow 'none'</code> instead."),
......@@ -350,11 +377,13 @@ class SecKitSettingsForm extends ConfigFormBase {
];
// Origin whitelist.
$form['seckit_csrf']['origin_whitelist'] = [
'#type' => 'textfield',
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#title' => $this->t('Allow requests from'),
'#default_value' => $config->get('seckit_csrf.origin_whitelist'),
'#size' => 90,
'#maxlength' => 255,
'#description' => $this->t('Comma separated list of trustworthy sources. Do not enter your website URL - it is automatically added. Syntax of the source is: [protocol] :// [host] : [port] . E.g, http://example.com, https://example.com, https://www.example.com, http://www.example.com:8080'),
];
......@@ -468,7 +497,10 @@ class SecKitSettingsForm extends ConfigFormBase {
// Custom text for "disabled JavaScript" message.
$form['seckit_clickjacking']['javascript']['noscript_message'] = [
'#type' => 'textfield',
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#title' => $this->t('Custom text for disabled JavaScript message'),
'#default_value' => $config->get('seckit_clickjacking.noscript_message'),
'#description' => $this->t('This message will be shown to user when JavaScript is disabled or unsupported in his browser. Default is "Sorry, you need to enable JavaScript to visit this website."'),
......@@ -574,11 +606,12 @@ class SecKitSettingsForm extends ConfigFormBase {
];
$form['seckit_ct']['report_uri'] = [
'#type' => 'textfield',
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#title' => $this->t('Report-uri'),
'#default_value' => $config->get('seckit_ct.report_uri'),
'#size' => 90,
'#maxlength' => 255,
'#description' => $this->t('Specify the (absolute) URI to which the user agent should report Expect-CT failures.'),
];
......@@ -612,11 +645,13 @@ class SecKitSettingsForm extends ConfigFormBase {
];
$form['seckit_fp']['feature_policy_policy'] = [
'#type' => 'textfield',
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#title' => $this->t('Policy'),
'#default_value' => $config->get('seckit_fp.feature_policy_policy'),
'#size' => 90,
'#maxlength' => 255,
'#description' => $this->t('Specify the policy to be sent out with Feature-Policy headers.'),
];
......@@ -652,10 +687,12 @@ class SecKitSettingsForm extends ConfigFormBase {
];
$form['seckit_various']['from_origin_destination'] = [
'#type' => 'textfield',
'#type' => 'textarea',
'#attributes' => [
'rows' => 1,
],
'#title' => $this->t('Allow loading content to'),
'#default_value' => $config->get('seckit_various.from_origin_destination'),
'#size' => 90,
'#description' => $this->t('Trustworthy destination. Possible variants are: @items', $args),
'#states' => [
'required' => [
......@@ -781,6 +818,39 @@ class SecKitSettingsForm extends ConfigFormBase {
$form_state->setErrorByName('seckit_xss][csp][report-uri', $this->t('The CSP report-uri seems relative but does not seem to be a valid path.'));
}
}
// Check for newlines in some textarea inputs where there should be none.
$csp_textareas = array(
'default-src',
'script-src',
'object-src',
'style-src',
'img-src',
'media-src',
'frame-src',
'frame-ancestors',
'child-src',
'font-src',
'connect-src',
);
foreach ($csp_textareas as $csp_textarea) {
$value = $form_state->getValue(['seckit_xss', 'csp', $csp_textarea]);
if ($value !== str_replace(array("\r", "\n"), '', (string) $value)) {
$form_state->setErrorByName('seckit_xss][csp][' . $csp_textarea, t('CSP directives cannot contain newlines.'));
}
}
$value = $form_state->getValue(['seckit_csrf', 'origin_whitelist']);
if ($value !== str_replace(array("\r", "\n"), '', (string) $value)) {
$form_state->setErrorByName('seckit_csrf][origin_whitelist', t('CSRF Origin Whitelist cannot contain newlines.'));
}
$value = $form_state->getValue(['seckit_fp', 'feature_policy_policy']);
if ($value !== str_replace(array("\r", "\n"), '', (string) $value)) {
$form_state->setErrorByName('seckit_fp][feature_policy_policy', t('Feature policy cannot contain newlines.'));
}
$value = $form_state->getValue(['seckit_various', 'from_origin_destination']);
if ($value !== str_replace(array("\r", "\n"), '', (string) $value)) {
$form_state->setErrorByName('seckit_various][from_origin_destination', t('Allow loading content to cannot contain newlines.'));
}
}
/**
......
......@@ -354,6 +354,31 @@ class SecKitTestCaseTest extends BrowserTestBase {
}
}
/**
* Tests submitting a long value for a Content Security Policy directive.
*/
public function testCspDirectiveLongValue() {
$long_csp_directive = str_repeat('CSP', 1000);
$form['seckit_xss[csp][checkbox]'] = TRUE;
$form['seckit_xss[csp][default-src]'] = $long_csp_directive;
$this->drupalGet('admin/config/system/seckit');
$this->submitForm($form, t('Save configuration'));
$expected = 'default-src ' . $long_csp_directive . '; report-uri ' . base_path() . $this->reportPath;
$this->assertSession()->responseHeaderEquals('Content-Security-Policy', $expected);
}
/**
* Tests submitting a multiline value for a Content Security Policy directive.
*/
public function testCspDirectiveMultilineValue() {
$form['seckit_xss[csp][checkbox]'] = TRUE;
$form['seckit_xss[csp][frame-ancestors]'] = "first\nsecond";
$this->drupalGet('admin/config/system/seckit');
$this->submitForm($form, t('Save configuration'));
$expected = t('CSP directives cannot contain newlines.');
$this->assertSession()->responseContains($expected, t('Multiline Content-Security-Policy directive rejected.'));
}
/**
* Tests disabled X-XSS-Protection HTTP response header.
*/
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment