Problem/Motivation
The link module only validates http and https, but not other scheme names such as git or ftp.
In Drupal 7, the validation can be turned off, thereby allowing the input of other scheme names. D7 sites could use this to use other scheme names, which will then not be valid in D8 any more.
Even better would be a option in the field configuration to set which scheme names are valid for this field.
Proposed resolution
- Allow custom protocols.
Add more protocols to the list of allowed protocolsLet's do this in a follow-up issue.
Remaining tasks
List protocols which will be validated by Drupal.To be handled in the follow-up issue.Add field configuration for allowing custom protocols.Done.Ensure field validation included the custom protocols in the whitelist.Done.- Add tests.
User interface changes
A new text field added to the Link field configuration form, empty by default, that accepts a comma-separated list of protocols that will be allowed in addition to the hard-coded ones.
API changes
+++ b/core/lib/Drupal/Component/Utility/UrlHelper.php
@@ -209,11 +209,13 @@ public static function encodePath($path) {
- public static function isExternal($path) {
+ public static function isExternal($path, $protocol_whitelist = []) {
+++ b/core/lib/Drupal/Component/Utility/UrlHelper.php
@@ -353,8 +357,8 @@ public static function setAllowedProtocols(array $protocols = []) {
- public static function stripDangerousProtocols($uri) {
+ public static function stripDangerousProtocols($uri, $whitelist = []) {
+++ b/core/lib/Drupal/Core/Utility/UnroutedUrlAssemblerInterface.php
@@ -40,6 +40,8 @@ interface UnroutedUrlAssemblerInterface {
+ * - 'protocol_whitelist': An explicit whitelist of protocols to be allowed
+ * in addition to those traditionally allowed. Defaults to an empty array.
This adds a new option to the $options array.
Data model changes
Added to the Link field configuration schema:
+++ b/core/modules/link/config/schema/link.schema.yml
@@ -49,6 +49,9 @@ field.field_settings.link:
+ protocol_whitelist:
+ type: string
+ label: 'Protocol whitelist'
Comment | File | Size | Author |
---|---|---|---|
#52 | 2031149-48.patch | 11.92 KB | liquidcms |
#47 | interdiff_2031149_45-47.txt | 1.29 KB | ankithashetty |
#47 | 2031149-47.patch | 11.92 KB | ankithashetty |
#46 | interdiff-45_46.txt | 629 bytes | Gauravvvv |
#46 | 2031149-46.patch | 11.96 KB | Gauravvvv |
Issue fork drupal-2031149
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #1
Mac_Weber CreditAttribution: Mac_Weber commentedPostponing feature requests as of the allowed beta changes https://www.drupal.org/contribute/core/beta-changes
Comment #2
mgiffordDrupal 8-beta 1 has been released.
Comment #3
Mac_Weber CreditAttribution: Mac_Weber as a volunteer commentedActually we are on Beta 15 now. Please read the policy at https://www.drupal.org/contribute/core/beta-changes
Comment #4
mgiffordYup.. I was just going on why this was postponed initially. Totally good to move this to 8.1 and postpone it as something to tackle there.
Comment #5
Mac_Weber CreditAttribution: Mac_Weber as a volunteer commentedComment #6
Mac_Weber CreditAttribution: Mac_Weber as a volunteer commentedComment #15
colanI'm currently working on a solution to allow for a custom protocol whitelist, specified in the field settings. There won't be any custom validation just yet. I'd suggest handling that in a follow-up issue.
Comment #16
colanI updated the title as per my previous comment.
This patch adds a new configuration option that takes a comma-separated list of additional protocols, which are added to the default whitelist.
Comment #18
colanLooks like I forgot to add the new configurable to the schema.
Comment #19
colanUpdated IS (while waiting for test results).
Comment #21
colanEnsured that the whitelist is actually an array if unset.
Comment #23
colanComment #25
colanHopefully this does the trick. I updated some expected test results, and also moved some new code to its own method to make things cleaner.
Comment #27
colanThis adds the extra blank line I missed.
I can't fix the build failure, but assuming that clears up on its own, we should now be left with the Drupal\Tests\link\Functional\LinkFieldUITest::testFieldUI error:
Anyone have any ideas?
Comment #29
colanThrough my own testing, the above patches won't work because the storage is assuming a string, when it should actually be an array.
Comment #30
colanComment #32
colanwhitelist
->allowlist
Comment #33
raman.b CreditAttribution: raman.b at OpenSense Labs commentedRe-rolling for 9.1.x and handling #32.1
Comment #34
raman.b CreditAttribution: raman.b at OpenSense Labs commentedTriggering the tests
Comment #35
raman.b CreditAttribution: raman.b at OpenSense Labs commentedMissed a few instances
Comment #37
mparker17Here is the patch from #35 rebased onto 8.9.x and 9.0.x (no interdiff because no changes).
Comment #38
blade_ukraine CreditAttribution: blade_ukraine commentedI have an issue with #35, it does not apply to Drupal 9.1.5. Added fixes to the #35 patch for support Drupal 9.1.5.
Comment #39
Suresh Prabhu Parkala CreditAttribution: Suresh Prabhu Parkala at Specbee commentedA re-rolled patch against 9.2.x-dev.
Comment #41
wjackson CreditAttribution: wjackson as a volunteer and at Kanopi Studios commentedThe patch in #39 works as expected and allows me to add additional protocols as part of the field configuration.
Comment #42
wjackson CreditAttribution: wjackson as a volunteer and at Kanopi Studios commentedMarking as RTBC, as this successfully applies and works as requested in the original ticket description.
Comment #43
quietone CreditAttribution: quietone as a volunteer commentedSorry, this is still work to do here.
The Issue Summary and the tags state that this needs tests and I do not see a test of the new schema property, 'protocol_allowlist'. The patch in #39 is for 9.2.x instead of 9.3.x and it is not passing the commit code check.
The new property name 'protocol_allowlist' is a unusual, all the other instances in core of something that is allowed begins with the word allow. Therefor I think the name should be 'allowed_protocols'. And this change will require an Issue Summary update.
s/array/string[]/
s/array $protocol_allowlist /string[] $allowed_protocols/
There are many, many places in the patch where $protocol_allowlist should be changed.
I think custom is better than extra and there is no need to add strings, the hint is above.
'The list of custom allowed protocols'.
As above
This feels clumsy. How about, "Validate the format of the allowed_protocol list.'
It would probably be a good idea to add a sentence that this is not validating the protocols. The user can enter meaningless strings here.
Not convinced the comment is needed here and the code can be simpler. One option is
Comment #44
quietone CreditAttribution: quietone as a volunteer commentedThis also changes the user interface for the link field settings so a screenshot before and after is needed. The screenshots needs to be added to the Issue Summary to help reviewers and committers, thanks.
Comment #45
ankithashettyUpdated the patch in #39 to address all the changes provided in #43. Also fixed the custom command failure errors shown in #39. Kindly review the changes made in this patch.
Thank you!
Comment #46
Gauravvvv CreditAttribution: Gauravvvv at OpenSense Labs for Drupal India Association commentedFixed custom command failed for unknown word. patch added and interdiff attached. Please review
Comment #47
ankithashettyThe CSpell check failed in
core/modules/link/src/Plugin/Validation/Constraint/LinkExternalProtocolsConstraintValidator.php
file, so updated the patch accordingly.Thank you!
Comment #52
liquidcms CreditAttribution: liquidcms commentedPatch from #47 doesn't apply to D9.4 (due to the smallest change in Umani demo config files).
This patch works for 9.4. Haven't tested with 9.5 but suspect it works there as well.
Comment #56
s_leu CreditAttribution: s_leu at Tag1 Consulting commentedComment #57
smustgrave CreditAttribution: smustgrave at Mobomo commentedSeems to have a test failure
Left some comments on MR.
Previously tagged for issue summary and screenshots.
Leaving tests tag as they will be needed for post_update hook.