Merge branch '6.2' into 6.3

javiereguiluz · javiereguiluz · commit 7f2506d22a93 · 2023-04-03T10:57:49.000+02:00
* 6.2:
  Apply suggestions from code review
  Update HTML Sanitizer doc for `max_input_length` option
  Fix bug return type of closure
  fix missing 'private' declaration
diff --git a/form/use_empty_data.rst b/form/use_empty_data.rst
@@ -94,7 +94,7 @@ The closure must accept a ``FormInterface`` instance as the first argument::
     public function configureOptions(OptionsResolver $resolver): void
     {
         $resolver->setDefaults([
-            'empty_data' => function (FormInterface $form) {
+            'empty_data' => function (FormInterface $form): Blog {
                 return new Blog($form->get('title')->getData());
             },
         ]);
diff --git a/html_sanitizer.rst b/html_sanitizer.rst
@@ -931,6 +931,73 @@ the HTML sanitizer: ``src``, ``href``, ``lowsrc``, ``background`` and ``ping``.
                 ->allowRelativeMedias()
         );
 
+Max Input Length
+~~~~~~~~~~~~~~~~
+
+In order to prevent `DoS attacks`_, by default the HTML sanitizer limits the
+input length to ``20000`` characters (as measured by ``strlen($input)``). All
+the contents exceeding that length will be truncated. Use this option to
+increase or decrease this limit:
+
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        # config/packages/html_sanitizer.yaml
+        framework:
+            html_sanitizer:
+                sanitizers:
+                    app.post_sanitizer:
+                        # ...
+
+                        # inputs longer (in characters) than this value will be truncated
+                        max_input_length: 30000 # default: 20000
+
+    .. code-block:: xml
+
+        <!-- config/packages/html_sanitizer.xml -->
+        <?xml version="1.0" encoding="UTF-8" ?>
+        <container xmlns="http://symfony.com/schema/dic/services"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns:framework="http://symfony.com/schema/dic/symfony"
+            xsi:schemaLocation="http://symfony.com/schema/dic/services
+                https://symfony.com/schema/dic/services/services-1.0.xsd
+                http://symfony.com/schema/dic/symfony https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
+
+            <framework:config>
+                <framework:html-sanitizer>
+                    <framework:sanitizer name="app.post_sanitizer">
+                        <!-- inputs longer (in characters) than this value will be truncated (default: 20000) -->
+                        <framework:max-input-length>20000</framework:max-input-length>
+                    </framework:sanitizer>
+                </framework:html-sanitizer>
+            </framework:config>
+        </container>
+
+    .. code-block:: php
+
+        // config/packages/framework.php
+        use Symfony\Config\FrameworkConfig;
+
+        return static function (FrameworkConfig $framework) {
+            $framework->htmlSanitizer()
+                ->sanitizer('app.post_sanitizer')
+                    // inputs longer (in characters) than this value will be truncated (default: 20000)
+                    ->withMaxInputLength(20000)
+            ;
+        };
+
+    .. code-block:: php-standalone
+
+        use Symfony\Component\HtmlSanitizer\HtmlSanitizer;
+        use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;
+
+        $postSanitizer = new HtmlSanitizer(
+            (new HtmlSanitizerConfig())
+                // inputs longer (in characters) than this value will be truncated (default: 20000)
+                ->withMaxInputLength(20000)
+        );
+
 Custom Attribute Sanitizers
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -1013,3 +1080,4 @@ to enable it for an HTML sanitizer:
 
 .. _`HTML Sanitizer W3C Standard Proposal`: https://wicg.github.io/sanitizer-api/
 .. _`W3C Standard Proposal`: https://wicg.github.io/sanitizer-api/
+.. _`DoS attacks`: https://en.wikipedia.org/wiki/Denial-of-service_attack
diff --git a/security/access_denied_handler.rst b/security/access_denied_handler.rst
@@ -34,7 +34,7 @@ unauthenticated user tries to access a protected resource::
     class AuthenticationEntryPoint implements AuthenticationEntryPointInterface
     {
         public function __construct(
-            UrlGeneratorInterface $urlGenerator,
+            private UrlGeneratorInterface $urlGenerator,
         ) {
         }
 

Original file line number	Diff line number	Diff line change
@@ -94,7 +94,7 @@ The closure must accept a ``FormInterface`` instance as the first argument::
`94`	`94`	`public function configureOptions(OptionsResolver $resolver): void`
`95`	`95`	`{`
`96`	`96`	`$resolver->setDefaults([`
`97`		`- 'empty_data' => function (FormInterface $form) {`
	`97`	`+ 'empty_data' => function (FormInterface $form): Blog {`
`98`	`98`	`return new Blog($form->get('title')->getData());`
`99`	`99`	`},`
`100`	`100`	`]);`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ unauthenticated user tries to access a protected resource::`
`34`	`34`	`class AuthenticationEntryPoint implements AuthenticationEntryPointInterface`
`35`	`35`	`{`
`36`	`36`	`public function __construct(`
`37`		`- UrlGeneratorInterface $urlGenerator,`
	`37`	`+ private UrlGeneratorInterface $urlGenerator,`
`38`	`38`	`) {`
`39`	`39`	`}`
`40`	`40`