bug #46849 [HtmlSanitizer] Allow null for sanitizer option allowed_link_hosts and allowed_media_hosts (plfort)

This PR was squashed before being merged into the 6.1 branch.

Discussion
----------

[HtmlSanitizer] Allow null for sanitizer option `allowed_link_hosts` and `allowed_media_hosts`

| Q             | A
| ------------- | ---
| Branch?       | 6.1
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #46647
| License       | MIT
| Doc PR        |

I set `allowed_link_hosts` an `allowed_media_hosts` default value to `null` instead of an empty array, this introduces a breaking change.
We can keep the current behavior by setting `defaultValue([])` in `Configuration.php` but I don't know how to set the default value to an empty array **and set it to `null` manually in XML configuration**.

Need your help 😅

Commits
-------

d3780c5d12 [HtmlSanitizer] Allow null for sanitizer option `allowed_link_hosts` and `allowed_media_hosts`

Author: nicolas-grekas

DependencyInjection/Configuration.php

@@ -2223,9 +2223,13 @@ private function addHtmlSanitizerSection(ArrayNodeDefinition $rootNode, callable
                                         ->info('Allows only a given list of schemes to be used in links href attributes.')
                                         ->scalarPrototype()->end()
                                     ->end()
-                                    ->arrayNode('allowed_link_hosts')
+                                    ->variableNode('allowed_link_hosts')
                                         ->info('Allows only a given list of hosts to be used in links href attributes.')
-                                        ->scalarPrototype()->end()
+                                        ->defaultValue(null)
+                                        ->validate()
+                                            ->ifTrue(function ($v) { return !\is_array($v) && null !== $v; })
+                                            ->thenInvalid('The "allowed_link_hosts" parameter must be an array or null')
+                                        ->end()
                                     ->end()
                                     ->booleanNode('allow_relative_links')
                                         ->info('Allows relative URLs to be used in links href attributes.')
@@ -2235,9 +2239,13 @@ private function addHtmlSanitizerSection(ArrayNodeDefinition $rootNode, callable
                                         ->info('Allows only a given list of schemes to be used in media source attributes (img, audio, video, ...).')
                                         ->scalarPrototype()->end()
                                     ->end()
-                                    ->arrayNode('allowed_media_hosts')
+                                    ->variableNode('allowed_media_hosts')
                                         ->info('Allows only a given list of hosts to be used in media source attributes (img, audio, video, ...).')
-                                        ->scalarPrototype()->end()
+                                        ->defaultValue(null)
+                                        ->validate()
+                                            ->ifTrue(function ($v) { return !\is_array($v) && null !== $v; })
+                                            ->thenInvalid('The "allowed_media_hosts" parameter must be an array or null')
+                                        ->end()
                                     ->end()
                                     ->booleanNode('allow_relative_medias')
                                         ->info('Allows relative URLs to be used in media source attributes (img, audio, video, ...).')

Tests/DependencyInjection/Fixtures/php/html_sanitizer_default_allowed_link_and_media_hosts.php

@@ -0,0 +1,10 @@
+<?php
+
+$container->loadFromExtension('framework', [
+    'http_method_override' => false,
+    'html_sanitizer' => [
+        'sanitizers' => [
+            'custom_default' => null,
+        ],
+    ],
+]);

Tests/DependencyInjection/Fixtures/xml/html_sanitizer_default_allowed_link_and_media_hosts.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" ?>
+
+<container xmlns="http://symfony.com/schema/dic/services"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://symfony.com/schema/dic/services https://symfony.com/schema/dic/services/services-1.0.xsd
+                        http://symfony.com/schema/dic/symfony https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
+
+    <config xmlns="http://symfony.com/schema/dic/symfony" http-method-override="false">
+        <html-sanitizer>
+            <sanitizer name="custom_default"/>
+        </html-sanitizer>
+    </config>
+</container>

Tests/DependencyInjection/Fixtures/yml/html_sanitizer_default_allowed_link_and_media_hosts.yml

@@ -0,0 +1,5 @@
+framework:
+    http_method_override: false
+    html_sanitizer:
+        sanitizers:
+            custom_default: ~

Tests/DependencyInjection/FrameworkExtensionTest.php

@@ -2111,6 +2111,15 @@ static function ($call) {
         $this->assertFalse($container->hasAlias(HtmlSanitizerInterface::class.' $default'));
     }
 
+    public function testHtmlSanitizerDefaultNullAllowedLinkMediaHost()
+    {
+        $container = $this->createContainerFromFile('html_sanitizer_default_allowed_link_and_media_hosts');
+
+        $calls = $container->getDefinition('html_sanitizer.config.custom_default')->getMethodCalls();
+        $this->assertContains(['allowLinkHosts', [null], true], $calls);
+        $this->assertContains(['allowMediaHosts', [null], true], $calls);
+    }
+
     public function testHtmlSanitizerDefaultConfig()
     {
         $container = $this->createContainerFromFile('html_sanitizer_default_config');