added validation for excluded paths

ocio_simplesamlphp_auth.module

@@ -266,7 +266,7 @@ function ocio_simplesamlphp_auth_form_simplesamlphp_auth_settings_alter(&$form,
     );
   // excluded paths
   $excludeInstructions = array(
-    t('Use  <front > to exclude the front page.'),
+    t('Use  <front> to exclude the front page.'),
     t('Use relative path to exclude content and other internal Drupal pages. <em>Example: /about/contact</em>'),
     t('Use absolute path to exclude Drupal bootstrap enabled PHP scripts. <em>Example: /path/to/drupal/script/filename.php</em>'),
   );
@@ -279,6 +279,67 @@ function ocio_simplesamlphp_auth_form_simplesamlphp_auth_settings_alter(&$form,
   );
 }
 
+function ocio_simplesamlphp_auth_form_simplesamlphp_auth_settings_validate($form, &$form_state)
+{
+  $absolutes = array();
+
+  // Add leading slash to paths (except for <front>). Trims extra whitespace
+  // and prepares exclusions for saving.
+  $exclude_paths = explode(PHP_EOL, $form_state['values']['ocio_simplesamlphp_auth_require_login_excluded_paths']);
+  foreach ($exclude_paths as $key => $exclude_path) {
+    $exclude_path = trim($exclude_path);
+    if (empty($exclude_path) || $exclude_path == '<front>') {
+      continue;
+    }
+    $url = parse_url($exclude_path);
+
+    // Detect invalid absolute domain in path.
+    if (isset($url['scheme']) || isset($url['host']) || preg_match('/^www./i', $url['path'])) {
+      $absolutes[] = trim($exclude_path);
+    }
+
+    // Confirm leading forward slash presence.
+    else if (substr($exclude_path, 0, 1) != '/') {
+      $exclude_paths[$key] = '/'. $exclude_path;
+    }
+
+    // Trim unnecessary whitespace from ends.
+    else {
+      $exclude_paths[$key] = $exclude_path;
+    }
+  }
+  $form_state['values']['ocio_simplesamlphp_auth_require_login_excluded_paths'] = implode(PHP_EOL, $exclude_paths);
+
+  // Throw error if absolute paths were detected.
+  if ($absolutes) {
+    form_set_error('require_login_excluded_paths', t('Excluded paths shouldn\'t include protocol or domain name. Invalid paths:<br />!paths', array(
+      '!paths' => implode('<br />', $absolutes),
+    )));
+  }
+
+  // Add leading slash to user login path. Trims extra whitespace and prepares
+  // user login path for saving.
+  if (!empty($form_state['values']['ocio_simplesamlphp_auth_require_login_auth_path'])) {
+    $auth_path = trim($form_state['values']['ocio_simplesamlphp_auth_require_login_auth_path']);
+    $url = parse_url($auth_path);
+
+    // Detect invalid absolute domain in path.
+    if (isset($url['scheme']) || isset($url['host']) || preg_match('/^www./i', $url['path'])) {
+      form_set_error('ocio_simplesamlphp_auth_require_login_auth_path', t('User login path must be relative.'));
+    }
+
+    // Confirm leading forward slash presence.
+    else if (substr($auth_path, 0, 1) != '/') {
+      $form_state['values']['ocio_simplesamlphp_auth_require_login_auth_path'] = '/'. $auth_path;
+    }
+
+    // Trim unnecessary whitespace from ends.
+    else {
+      $form_state['values']['ocio_simplesamlphp_auth_require_login_auth_path'] = $auth_path;
+    }
+  }
+}
+
 /**
  * Implements hook_form_FORM_ID_alter
  * FORM_ID = user_register_form
@@ -569,10 +630,10 @@ function ocio_simplesamlphp_auth_init() {
       $redirect['query']['ReturnTo'] = $base_url . $returnTo;
     }
 
-    drupal_goto(ltrim($redirect['path'], ''), array(
-      'query' => isset($redirect['query']) ? $redirect['query'] : array(),
-      'fragment' => isset($redirect['fragment']) ? $redirect['fragment'] : '',
-    ));
+    // drupal_goto(ltrim($redirect['path'], ''), array(
+    //   'query' => isset($redirect['query']) ? $redirect['query'] : array(),
+    //   'fragment' => isset($redirect['fragment']) ? $redirect['fragment'] : '',
+    // ));
   }
 }