Improve validation handling

w1ll-i-code · w1ll-i-code · commit 4ffe4927396f · 2025-05-13T18:08:27.000+02:00
diff --git a/application/forms/Config/General/ApplicationConfigForm.php b/application/forms/Config/General/ApplicationConfigForm.php
@@ -9,6 +9,7 @@
 use Icinga\Web\Form;
 use Icinga\Util\Csp;
 use Icinga\Web\Notification;
+use Zend_Validate_Callback;
 
 /**
  * Configuration form for general application options
@@ -63,6 +64,7 @@ public function createElements(array $formData)
             'security_use_strict_csp',
             [
                 'label'         => $this->translate('Enable strict content security policy'),
+                'autosubmit'    => true,
                 'description'   => $this->translate(
                     'Set whether to use strict content security policy (CSP).'
                     . ' This setting helps to protect from cross-site scripting (XSS).'
@@ -71,21 +73,51 @@ public function createElements(array $formData)
         );
 
         $securityImageSourceWhitelistHidden =
-            !(boolean) Icinga::app()->getConfig()->get("security", "use_strict_csp", false);
-        $securityImageSourceWhitelistHiddenClass = $securityImageSourceWhitelistHidden ? 'input-hidden' : '';
-        $this->addElement(
-            'text',
-            'security_image_source_whitelist',
-            [
-                'label'         => $this->translate('Domains whitelist for the CSP image source'),
-                'placeholder'   => $this->translate('No external domains whitelisted'),
-                'class'         => $securityImageSourceWhitelistHiddenClass,
-                'description'   => $this->translate(
-                    'This whitelist allows you to specify a comma separated list of trusted hosts, '
-                    . 'from which images for the icingaweb2 UI can be loaded.'
-                )
-            ]
-        );
+            ! (boolean) Icinga::app()->getConfig()->get("security", "use_strict_csp", false)
+            && ! $formData['security_use_strict_csp'];
+
+        if (! $securityImageSourceWhitelistHidden) {
+            $callbackValidator = new Zend_Validate_Callback(function ($value) {
+                foreach (explode(",", $value) as $imageSource) {
+                    try {
+                        Csp::validateImageSourceWhitelistItem($imageSource);
+                    }catch (SecurityException $e) {
+                        Notification::error($e->getMessage());
+                        return false;
+                    }
+                }
+
+                return true;
+            });
+
+            $this->addElement(
+                'text',
+                'security_image_source_whitelist',
+                [
+                    'label'         => $this->translate('Domains whitelist for the CSP image source'),
+                    'placeholder'   => $this->translate('No external domains whitelisted'),
+                    'validators'    => [$callbackValidator],
+                    'description'   => $this->translate(
+                        'This whitelist allows you to specify a comma separated list of trusted hosts, '
+                        . 'from which images for the icingaweb2 UI can be loaded.'
+                    )
+                ]
+            );
+        } else {
+            $this->addElement(
+                'hidden',
+                'security_image_source_whitelist'
+                [
+                    'validators' => [new Zend_Validate_Callback(function ($value) {
+                        foreach (explode(",", $value) as $imageSource) {
+                            // This can only be triggered by a malicious actor.
+                            // If any url is invalid, it will throw an expection.
+                            Csp::validateImageSourceWhitelistItem($imageSource);
+                        }
+                    })]
+                ]
+            );
+        }
 
         $this->addElement(
             'text',
@@ -122,23 +154,4 @@ public function createElements(array $formData)
 
         return $this;
     }
-
-    /**
-     * @inheritDoc
-     */
-    public function isValid($formData)
-    {
-        $imageSourceWhitelist = $formData["security_image_source_whitelist"] ?? "";
-        $valid = true;
-        foreach (explode(",", $imageSourceWhitelist) as $imageSource) {
-            try {
-                Csp::validateImageSourceWhitelistItem($imageSource);
-            }catch (SecurityException $e) {
-                Notification::error($e->getMessage());
-                $valid = false;
-            }
-        }
-
-        return $valid && parent::isValid($formData);
-    }
 }
diff --git a/public/css/icinga/forms.less b/public/css/icinga/forms.less
@@ -33,10 +33,6 @@ form.icinga-form {
         margin-bottom: 0;
       }
     }
-
-    &:has(.input-hidden) {
-      display: none;
-    }
   }
 
   .control-group > :not(.control-label-group) {

Original file line number	Diff line number	Diff line change
`@@ -33,10 +33,6 @@ form.icinga-form {`
`33`	`33`	`margin-bottom: 0;`
`34`	`34`	`}`
`35`	`35`	`}`
`36`		`-`
`37`		`- &:has(.input-hidden) {`
`38`		`- display: none;`
`39`		`- }`
`40`	`36`	`}`
`41`	`37`
`42`	`38`	`.control-group > :not(.control-label-group) {`