Add form validation to guard against bad links

[kevwalsh]

User Story or Problem Statement

We've seen a lot of links to internal VA domains. Broken link tests (such as node link report or the one in the content build) cannot catch these, because those tests operate within the VA network and can access those links fine. We can't easily build tools that can reproduce the conditions outside the work and provide feedback inside the network.

User story As an editor adding a URL to VA.gov CMS that is not available outside the VA network, I want form validation (or a warning?) that prevents me from saving it, and provides useful feedback about why, so that i know what to fix about my link.

As a CMS team member, i can add, or remove disallowed URL patterns on prod, so that i can quickly guard against (or create exceptions) based on request fulfillment, or other reported problems with the configuration.

Related issues

• 6330

• 5462

Acceptance Criteria

• [ ] Editors are prevented from adding Outlook links to link fields
• [ ] Editors are prevented from adding Sharepoint links to link fields
• [ ] Editors are prevented from adding Teams links to link fields
• [ ] Editors are prevented from adding intranet links to link fields
• [ ] Consider if link fields are the only place to prevent (should rich text fields be considered)
• [ ] KB should be exempt from link validation, it assumes VA network access already.
• [ ] Helpful guidance that explains the why is provided, possibly linking out to this KB article

Implementation steps

We need the opposite of https://www.drupal.org/project/link_allowed_hosts Need this https://www.drupal.org/project/node_link_report/issues/3216113

Config should be ignored

Design principles

Veteran-centered

• [ ] Single source of truth: Increase reliability and consistency of content on VA.gov by providing a single source of truth.
• [x] Accessible, plain language: Provide guardrails and guidelines to ensure content quality.
• [ ] Purposely structured content: Ensure Content API can deliver content whose meaning matches its structure.
• [ ] Content lifecycle governance: Produce tools, processes and policies to maintain content quality throughout its lifecycle.

Editor-centered

• [ ] Purpose-driven: Create an opportunity to involve the editor community in VA’s mission and content strategy goals.
• [ ] Efficient: Remove distractions and create clear, straightforward paths to get the job done.
• [ ] Approachable: Offer friendly guidance over authoritative instruction.
• [ ] Consistent: Reduce user’s mental load by allowing them to fall back on pattern recognition to complete tasks.
• [x] Empowering: Provide clear information to help editors make decisions about their work.

CMS Team

Please leave only the team that will do this work selected. If you're not sure, it's fine to leave both selected.

• [ ] Platform CMS Team
• [x] Sitewide CMS Team

[swirtSJW]

It would be very nice if this could be a contrib module. Basically a module with a bunc of validation constraints that can be turned on and off in UI and some fields for adding "never link" domains.

I thought about having it added to the node link_report_module, but that expands the module's concern from reporting, to validating, which then makes it a lie.

[EWashb]

Identified as an opportunity through #8536

[EWashb]

This will need a new think...is the "bad links" list exhaustive? Are we missing something? This list includes particular types of links but we might need to think through particular processes/workflows that could cause bad links to happen outside of what a bad link is defined as.