[HtmlSanitizer] Allow null for sanitizer option allowed_link_hosts and allowed_media_hosts

Author: plfort

DependencyInjection/Configuration.php

@@ -1912,7 +1912,7 @@ private function addHttpClientRetrySection()
                     ->integerNode('max_delay')->defaultValue(0)->min(0)->info('Max time in ms that a retry should ever be delayed (0 = infinite)')->end()
                     ->floatNode('jitter')->defaultValue(0.1)->min(0)->max(1)->info('Randomness in percent (between 0 and 1) to apply to the delay')->end()
                 ->end()
-            ;
+        ;
     }
 
     private function addMailerSection(ArrayNodeDefinition $rootNode, callable $enableIfStandalone)
@@ -2223,9 +2223,13 @@ private function addHtmlSanitizerSection(ArrayNodeDefinition $rootNode, callable
                                         ->info('Allows only a given list of schemes to be used in links href attributes.')
                                         ->scalarPrototype()->end()
                                     ->end()
-                                    ->arrayNode('allowed_link_hosts')
+                                    ->variableNode('allowed_link_hosts')
                                         ->info('Allows only a given list of hosts to be used in links href attributes.')
-                                        ->scalarPrototype()->end()
+                                        ->defaultValue(null)
+                                        ->validate()
+                                            ->ifTrue(function ($v) { return !\is_array($v) && null !== $v; })
+                                            ->thenInvalid('The "allowed_link_hosts" parameter must be an array or null')
+                                        ->end()
                                     ->end()
                                     ->booleanNode('allow_relative_links')
                                         ->info('Allows relative URLs to be used in links href attributes.')
@@ -2235,9 +2239,13 @@ private function addHtmlSanitizerSection(ArrayNodeDefinition $rootNode, callable
                                         ->info('Allows only a given list of schemes to be used in media source attributes (img, audio, video, ...).')
                                         ->scalarPrototype()->end()
                                     ->end()
-                                    ->arrayNode('allowed_media_hosts')
+                                    ->variableNode('allowed_media_hosts')
                                         ->info('Allows only a given list of hosts to be used in media source attributes (img, audio, video, ...).')
-                                        ->scalarPrototype()->end()
+                                        ->defaultValue(null)
+                                        ->validate()
+                                            ->ifTrue(function ($v) { return !\is_array($v) && null !== $v; })
+                                            ->thenInvalid('The "allowed_media_hosts" parameter must be an array or null')
+                                        ->end()
                                     ->end()
                                     ->booleanNode('allow_relative_medias')
                                         ->info('Allows relative URLs to be used in media source attributes (img, audio, video, ...).')

Tests/DependencyInjection/Fixtures/php/html_sanitizer_default_allowed_link_and_media_hosts.php

@@ -0,0 +1,10 @@
+<?php
+
+$container->loadFromExtension('framework', [
+    'http_method_override' => false,
+    'html_sanitizer' => [
+        'sanitizers' => [
+            'custom_default' => null,
+        ],
+    ],
+]);

Tests/DependencyInjection/Fixtures/xml/html_sanitizer_default_allowed_link_and_media_hosts.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" ?>
+
+<container xmlns="http://symfony.com/schema/dic/services"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://symfony.com/schema/dic/services https://symfony.com/schema/dic/services/services-1.0.xsd
+                        http://symfony.com/schema/dic/symfony https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
+
+    <config xmlns="http://symfony.com/schema/dic/symfony" http-method-override="false">
+        <html-sanitizer>
+            <sanitizer name="custom_default"/>
+        </html-sanitizer>
+    </config>
+</container>

Tests/DependencyInjection/Fixtures/yml/html_sanitizer_default_allowed_link_and_media_hosts.yml

@@ -0,0 +1,5 @@
+framework:
+    http_method_override: false
+    html_sanitizer:
+        sanitizers:
+            custom_default: ~

Tests/DependencyInjection/FrameworkExtensionTest.php

@@ -2103,6 +2103,15 @@ static function ($call) {
         $this->assertFalse($container->hasAlias(HtmlSanitizerInterface::class.' $default'));
     }
 
+    public function testHtmlSanitizerDefaultNullAllowedLinkMediaHost()
+    {
+        $container = $this->createContainerFromFile('html_sanitizer_default_allowed_link_and_media_hosts');
+
+        $calls = $container->getDefinition('html_sanitizer.config.custom_default')->getMethodCalls();
+        $this->assertContains(['allowLinkHosts', [null], true], $calls);
+        $this->assertContains(['allowMediaHosts', [null], true], $calls);
+    }
+
     public function testHtmlSanitizerDefaultConfig()
     {
         $container = $this->createContainerFromFile('html_sanitizer_default_config');