From d3780c5d126dfe732ab8cb4e515673c1398e8325 Mon Sep 17 00:00:00 2001
From: plfort <fort.pierrelouis@gmail.com>
Date: Mon, 4 Jul 2022 21:57:03 +0200
Subject: [PATCH] [HtmlSanitizer] Allow null for sanitizer option
 `allowed_link_hosts` and `allowed_media_hosts`

---
 .../DependencyInjection/Configuration.php      | 18 +++++++++++++-----
 ...er_default_allowed_link_and_media_hosts.php | 10 ++++++++++
 ...er_default_allowed_link_and_media_hosts.xml | 13 +++++++++++++
 ...er_default_allowed_link_and_media_hosts.yml |  5 +++++
 .../FrameworkExtensionTest.php                 |  9 +++++++++
 5 files changed, 50 insertions(+), 5 deletions(-)
 create mode 100644 src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/html_sanitizer_default_allowed_link_and_media_hosts.php
 create mode 100644 src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/html_sanitizer_default_allowed_link_and_media_hosts.xml
 create mode 100644 src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/html_sanitizer_default_allowed_link_and_media_hosts.yml

diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
index 43f268db06707..5c953034faf70 100644
--- a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
+++ b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@@ -1912,7 +1912,7 @@ private function addHttpClientRetrySection()
                     ->integerNode('max_delay')->defaultValue(0)->min(0)->info('Max time in ms that a retry should ever be delayed (0 = infinite)')->end()
                     ->floatNode('jitter')->defaultValue(0.1)->min(0)->max(1)->info('Randomness in percent (between 0 and 1) to apply to the delay')->end()
                 ->end()
-            ;
+        ;
     }
 
     private function addMailerSection(ArrayNodeDefinition $rootNode, callable $enableIfStandalone)
@@ -2223,9 +2223,13 @@ private function addHtmlSanitizerSection(ArrayNodeDefinition $rootNode, callable
                                         ->info('Allows only a given list of schemes to be used in links href attributes.')
                                         ->scalarPrototype()->end()
                                     ->end()
-                                    ->arrayNode('allowed_link_hosts')
+                                    ->variableNode('allowed_link_hosts')
                                         ->info('Allows only a given list of hosts to be used in links href attributes.')
-                                        ->scalarPrototype()->end()
+                                        ->defaultValue(null)
+                                        ->validate()
+                                            ->ifTrue(function ($v) { return !\is_array($v) && null !== $v; })
+                                            ->thenInvalid('The "allowed_link_hosts" parameter must be an array or null')
+                                        ->end()
                                     ->end()
                                     ->booleanNode('allow_relative_links')
                                         ->info('Allows relative URLs to be used in links href attributes.')
@@ -2235,9 +2239,13 @@ private function addHtmlSanitizerSection(ArrayNodeDefinition $rootNode, callable
                                         ->info('Allows only a given list of schemes to be used in media source attributes (img, audio, video, ...).')
                                         ->scalarPrototype()->end()
                                     ->end()
-                                    ->arrayNode('allowed_media_hosts')
+                                    ->variableNode('allowed_media_hosts')
                                         ->info('Allows only a given list of hosts to be used in media source attributes (img, audio, video, ...).')
-                                        ->scalarPrototype()->end()
+                                        ->defaultValue(null)
+                                        ->validate()
+                                            ->ifTrue(function ($v) { return !\is_array($v) && null !== $v; })
+                                            ->thenInvalid('The "allowed_media_hosts" parameter must be an array or null')
+                                        ->end()
                                     ->end()
                                     ->booleanNode('allow_relative_medias')
                                         ->info('Allows relative URLs to be used in media source attributes (img, audio, video, ...).')
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/html_sanitizer_default_allowed_link_and_media_hosts.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/html_sanitizer_default_allowed_link_and_media_hosts.php
new file mode 100644
index 0000000000000..952c066de0cc2
--- /dev/null
+++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/html_sanitizer_default_allowed_link_and_media_hosts.php
@@ -0,0 +1,10 @@
+<?php
+
+$container->loadFromExtension('framework', [
+    'http_method_override' => false,
+    'html_sanitizer' => [
+        'sanitizers' => [
+            'custom_default' => null,
+        ],
+    ],
+]);
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/html_sanitizer_default_allowed_link_and_media_hosts.xml b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/html_sanitizer_default_allowed_link_and_media_hosts.xml
new file mode 100644
index 0000000000000..fff1592d37e0a
--- /dev/null
+++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/html_sanitizer_default_allowed_link_and_media_hosts.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" ?>
+
+<container xmlns="http://symfony.com/schema/dic/services"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://symfony.com/schema/dic/services https://symfony.com/schema/dic/services/services-1.0.xsd
+                        http://symfony.com/schema/dic/symfony https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
+
+    <config xmlns="http://symfony.com/schema/dic/symfony" http-method-override="false">
+        <html-sanitizer>
+            <sanitizer name="custom_default"/>
+        </html-sanitizer>
+    </config>
+</container>
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/html_sanitizer_default_allowed_link_and_media_hosts.yml b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/html_sanitizer_default_allowed_link_and_media_hosts.yml
new file mode 100644
index 0000000000000..5c9ac2b475593
--- /dev/null
+++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/html_sanitizer_default_allowed_link_and_media_hosts.yml
@@ -0,0 +1,5 @@
+framework:
+    http_method_override: false
+    html_sanitizer:
+        sanitizers:
+            custom_default: ~
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
index e0e1c51d8752d..eaf240f8a93b6 100644
--- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
+++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
@@ -2103,6 +2103,15 @@ static function ($call) {
         $this->assertFalse($container->hasAlias(HtmlSanitizerInterface::class.' $default'));
     }
 
+    public function testHtmlSanitizerDefaultNullAllowedLinkMediaHost()
+    {
+        $container = $this->createContainerFromFile('html_sanitizer_default_allowed_link_and_media_hosts');
+
+        $calls = $container->getDefinition('html_sanitizer.config.custom_default')->getMethodCalls();
+        $this->assertContains(['allowLinkHosts', [null], true], $calls);
+        $this->assertContains(['allowMediaHosts', [null], true], $calls);
+    }
+
     public function testHtmlSanitizerDefaultConfig()
     {
         $container = $this->createContainerFromFile('html_sanitizer_default_config');

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/symfony/symfony/pull/46849.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/symfony/symfony/pull/46849.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/symfony/symfony/pull/46849.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/symfony/symfony/pull/46849.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>