[HtmlSanitizer] Remove MastermindsParser and add $context arg to ParserInterface::parse()

nicolas-grekas · nicolas-grekas · commit b291f58d88ad · 2025-08-12T14:27:10.000+02:00
diff --git a/UPGRADE-8.0.md b/UPGRADE-8.0.md
@@ -171,6 +171,12 @@ FrameworkBundle
  * Remove the `validation.cache` option
  * Remove `TranslationUpdateCommand` in favor of `TranslationExtractCommand`
 
+HtmlSanitizer
+-------------
+
+ * Remove `MastermindsParser`; use `NativeParser` instead
+ * Add argument `$context` to `ParserInterface::parse()`
+
 HttpFoundation
 --------------
 
diff --git a/src/Symfony/Component/HtmlSanitizer/CHANGELOG.md b/src/Symfony/Component/HtmlSanitizer/CHANGELOG.md
@@ -1,6 +1,12 @@
 CHANGELOG
 =========
 
+8.0
+---
+
+ * Remove `MastermindsParser`; use `NativeParser` instead
+ * Add argument `$context` to `ParserInterface::parse()`
+
 7.4
 ---
 
diff --git a/src/Symfony/Component/HtmlSanitizer/HtmlSanitizer.php b/src/Symfony/Component/HtmlSanitizer/HtmlSanitizer.php
@@ -11,7 +11,6 @@
 
 namespace Symfony\Component\HtmlSanitizer;
 
-use Symfony\Component\HtmlSanitizer\Parser\MastermindsParser;
 use Symfony\Component\HtmlSanitizer\Parser\NativeParser;
 use Symfony\Component\HtmlSanitizer\Parser\ParserInterface;
 use Symfony\Component\HtmlSanitizer\Reference\W3CReference;
@@ -35,7 +34,7 @@ public function __construct(
         ?ParserInterface $parser = null,
     ) {
         $this->config = $config;
-        $this->parser = $parser ?? (\PHP_VERSION_ID < 80400 ? new MastermindsParser() : new NativeParser());
+        $this->parser = $parser ?? new NativeParser();
     }
 
     public function sanitize(string $input): string
diff --git a/src/Symfony/Component/HtmlSanitizer/Parser/MastermindsParser.php b/src/Symfony/Component/HtmlSanitizer/Parser/MastermindsParser.php
diff --git a/src/Symfony/Component/HtmlSanitizer/Parser/NativeParser.php b/src/Symfony/Component/HtmlSanitizer/Parser/NativeParser.php
@@ -16,13 +16,6 @@
  */
 final class NativeParser implements ParserInterface
 {
-    public function __construct()
-    {
-        if (\PHP_VERSION_ID < 80400) {
-            throw new \LogicException(self::class.' requires PHP 8.4 or higher.');
-        }
-    }
-
     public function parse(string $html, string $context = 'body'): ?\Dom\Node
     {
         $document = @\Dom\HTMLDocument::createFromString(\sprintf('<!DOCTYPE html><%s>%s</%1$s>', $context, $html));
diff --git a/src/Symfony/Component/HtmlSanitizer/Parser/ParserInterface.php b/src/Symfony/Component/HtmlSanitizer/Parser/ParserInterface.php
@@ -25,5 +25,5 @@ interface ParserInterface
      *
      * @param string $context The name of the context element in which the HTML is parsed
      */
-    public function parse(string $html/* , string $context = 'body' */): \Dom\Node|\DOMNode|null;
+    public function parse(string $html, string $context = 'body'): \Dom\Node|\DOMNode|null;
 }
diff --git a/src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerAllTest.php b/src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerAllTest.php
@@ -64,11 +64,8 @@ public static function provideSanitizeHead()
     }
 
     #[DataProvider('provideSanitizeBody')]
-    public function testSanitizeBody(string $input, string $expected, ?string $legacyExpected = null)
+    public function testSanitizeBody(string $input, string $expected)
     {
-        if (\PHP_VERSION_ID < 80400) {
-            $expected = $legacyExpected ?? $expected;
-        }
         $this->assertSame($expected, $this->createSanitizer()->sanitize($input));
     }
 
@@ -87,7 +84,6 @@ public static function provideSanitizeBody()
             [
                 '< Hello',
                 '&lt; Hello',
-                ' Hello',
             ],
             [
                 'Lorem & Ipsum',
@@ -132,7 +128,6 @@ public static function provideSanitizeBody()
             [
                 '<<a href="javascript:evil"/>a href="javascript:evil"/>',
                 '&lt;<a>a href&#61;&#34;javascript:evil&#34;/&gt;</a>',
-                '<a>a href&#61;&#34;javascript:evil&#34;/&gt;</a>',
             ],
             [
                 '<a href="javascript:alert(\'ok\')">Test</a>',
@@ -169,12 +164,10 @@ public static function provideSanitizeBody()
             [
                 '<<img src="javascript:evil"/>iframe src="javascript:evil"/>',
                 '&lt;<img />iframe src&#61;&#34;javascript:evil&#34;/&gt;',
-                '<img />iframe src&#61;&#34;javascript:evil&#34;/&gt;',
             ],
             [
                 '<<img src="javascript:evil"/>img src="javascript:evil"/>',
                 '&lt;<img />img src&#61;&#34;javascript:evil&#34;/&gt;',
-                '<img />img src&#61;&#34;javascript:evil&#34;/&gt;',
             ],
             [
                 '<IMG SRC="javascript:alert(\'XSS\');">',
@@ -219,12 +212,10 @@ public static function provideSanitizeBody()
             [
                 '<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>',
                 '<img />',
-                '<img src="&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041" />',
             ],
             [
                 '<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>',
                 '<img />',
-                '<img src="&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29" />',
             ],
             [
                 '<IMG DYNSRC="javascript:alert(\'XSS\')">',
@@ -531,7 +522,6 @@ public static function provideSanitizeBody()
             [
                 '<table>Lorem ipsum</table>',
                 'Lorem ipsum<table></table>',
-                '<table>Lorem ipsum</table>',
             ],
             [
                 '<ul>Lorem ipsum</ul>',
@@ -545,12 +535,8 @@ public static function provideSanitizeBody()
     }
 
     #[DataProvider('provideSanitizeTable')]
-    public function testSanitizeTable(string $input, string $expected, ?string $legacyExpected = null)
+    public function testSanitizeTable(string $input, string $expected)
     {
-        if (\PHP_VERSION_ID < 80400) {
-            $expected = $legacyExpected ?? $expected;
-        }
-
         $this->assertSame($expected, $this->createSanitizer()->sanitizeFor('table', $input));
     }
 
@@ -564,32 +550,26 @@ public static function provideSanitizeTable(): iterable
             [
                 '<tbody>Lorem ipsum</tbody>',
                 '<tbody></tbody>',
-                '<tbody>Lorem ipsum</tbody>',
             ],
             [
                 '<td>Lorem ipsum</td>',
                 '<tbody><tr><td>Lorem ipsum</td></tr></tbody>',
-                '<td>Lorem ipsum</td>',
             ],
             [
                 '<tfoot>Lorem ipsum</tfoot>',
                 '<tfoot></tfoot>',
-                '<tfoot>Lorem ipsum</tfoot>',
             ],
             [
                 '<thead>Lorem ipsum</thead>',
                 '<thead></thead>',
-                '<thead>Lorem ipsum</thead>',
             ],
             [
                 '<th>Lorem ipsum</th>',
                 '<tbody><tr><th>Lorem ipsum</th></tr></tbody>',
-                '<th>Lorem ipsum</th>',
             ],
             [
                 '<tr>Lorem ipsum</tr>',
                 '<tbody><tr></tr></tbody>',
-                '<tr>Lorem ipsum</tr>',
             ],
         ];
     }
diff --git a/src/Symfony/Component/HtmlSanitizer/Tests/Parser/MastermindsParserTest.php b/src/Symfony/Component/HtmlSanitizer/Tests/Parser/MastermindsParserTest.php
diff --git a/src/Symfony/Component/HtmlSanitizer/Tests/Parser/NativeParserTest.php b/src/Symfony/Component/HtmlSanitizer/Tests/Parser/NativeParserTest.php
@@ -11,11 +11,9 @@
 
 namespace Symfony\Component\HtmlSanitizer\Tests\Parser;
 
-use PHPUnit\Framework\Attributes\RequiresPhp;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\HtmlSanitizer\Parser\NativeParser;
 
-#[RequiresPhp('8.4')]
 class NativeParserTest extends TestCase
 {
     public function testParseValid()
diff --git a/src/Symfony/Component/HtmlSanitizer/composer.json b/src/Symfony/Component/HtmlSanitizer/composer.json
@@ -18,9 +18,7 @@
     "require": {
         "php": ">=8.4",
         "ext-dom": "*",
-        "league/uri": "^6.5|^7.0",
-        "masterminds/html5": "^2.7.2",
-        "symfony/deprecation-contracts": "^2.5|^3"
+        "league/uri": "^6.5|^7.0"
     },
     "autoload": {
         "psr-4": { "Symfony\\Component\\HtmlSanitizer\\": "" },

Original file line number	Diff line number	Diff line change
`@@ -16,13 +16,6 @@`
`16`	`16`	`*/`
`17`	`17`	`final class NativeParser implements ParserInterface`
`18`	`18`	`{`
`19`		`- public function __construct()`
`20`		`- {`
`21`		`- if (\PHP_VERSION_ID < 80400) {`
`22`		`- throw new \LogicException(self::class.' requires PHP 8.4 or higher.');`
`23`		`- }`
`24`		`- }`
`25`		`-`
`26`	`19`	`public function parse(string $html, string $context = 'body'): ?\Dom\Node`
`27`	`20`	`{`
`28`	`21`	`$document = @\Dom\HTMLDocument::createFromString(\sprintf('<!DOCTYPE html><%s>%s</%1$s>', $context, $html));`
Original file line number	Diff line number	Diff line change
`@@ -25,5 +25,5 @@ interface ParserInterface`
`25`	`25`	`*`
`26`	`26`	`* @param string $context The name of the context element in which the HTML is parsed`
`27`	`27`	`*/`
`28`		`- public function parse(string $html/* , string $context = 'body' */): \Dom\Node\|\DOMNode\|null;`
	`28`	`+ public function parse(string $html, string $context = 'body'): \Dom\Node\|\DOMNode\|null;`
`29`	`29`	`}`
Original file line number	Diff line number	Diff line change
`@@ -64,11 +64,8 @@ public static function provideSanitizeHead()`
`64`	`64`	`}`
`65`	`65`
`66`	`66`	`#[DataProvider('provideSanitizeBody')]`
`67`		`- public function testSanitizeBody(string $input, string $expected, ?string $legacyExpected = null)`
	`67`	`+ public function testSanitizeBody(string $input, string $expected)`
`68`	`68`	`{`
`69`		`- if (\PHP_VERSION_ID < 80400) {`
`70`		`- $expected = $legacyExpected ?? $expected;`
`71`		`- }`
`72`	`69`	`$this->assertSame($expected, $this->createSanitizer()->sanitize($input));`
`73`	`70`	`}`
`74`	`71`
`@@ -87,7 +84,6 @@ public static function provideSanitizeBody()`
`87`	`84`	`[`
`88`	`85`	`'< Hello',`
`89`	`86`	`'< Hello',`
`90`		`- ' Hello',`
`91`	`87`	`],`
`92`	`88`	`[`
`93`	`89`	`'Lorem & Ipsum',`
`@@ -132,7 +128,6 @@ public static function provideSanitizeBody()`
`132`	`128`	`[`
`133`	`129`	`'<<a href="javascript:evil"/>a href="javascript:evil"/>',`
`134`	`130`	`'<<a>a href="javascript:evil"/></a>',`
`135`		`- '<a>a href="javascript:evil"/></a>',`
`136`	`131`	`],`
`137`	`132`	`[`
`138`	`133`	`'<a href="javascript:alert(\'ok\')">Test</a>',`
`@@ -169,12 +164,10 @@ public static function provideSanitizeBody()`
`169`	`164`	`[`
`170`	`165`	`'<<img src="javascript:evil"/>iframe src="javascript:evil"/>',`
`171`	`166`	`'<<img />iframe src="javascript:evil"/>',`
`172`		`- '<img />iframe src="javascript:evil"/>',`
`173`	`167`	`],`
`174`	`168`	`[`
`175`	`169`	`'<<img src="javascript:evil"/>img src="javascript:evil"/>',`
`176`	`170`	`'<<img />img src="javascript:evil"/>',`
`177`		`- '<img />img src="javascript:evil"/>',`
`178`	`171`	`],`
`179`	`172`	`[`
`180`	`173`	`'<IMG SRC="javascript:alert(\'XSS\');">',`
`@@ -219,12 +212,10 @@ public static function provideSanitizeBody()`
`219`	`212`	`[`
`220`	`213`	`'<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>',`
`221`	`214`	`'<img />',`
`222`		`- '<img src="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041" />',`
`223`	`215`	`],`
`224`	`216`	`[`
`225`	`217`	`'<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>',`
`226`	`218`	`'<img />',`
`227`		`- '<img src="&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29" />',`
`228`	`219`	`],`
`229`	`220`	`[`
`230`	`221`	`'<IMG DYNSRC="javascript:alert(\'XSS\')">',`
`@@ -531,7 +522,6 @@ public static function provideSanitizeBody()`
`531`	`522`	`[`
`532`	`523`	`'<table>Lorem ipsum</table>',`
`533`	`524`	`'Lorem ipsum<table></table>',`
`534`		`- '<table>Lorem ipsum</table>',`
`535`	`525`	`],`
`536`	`526`	`[`
`537`	`527`	`'<ul>Lorem ipsum</ul>',`
`@@ -545,12 +535,8 @@ public static function provideSanitizeBody()`
`545`	`535`	`}`
`546`	`536`
`547`	`537`	`#[DataProvider('provideSanitizeTable')]`
`548`		`- public function testSanitizeTable(string $input, string $expected, ?string $legacyExpected = null)`
	`538`	`+ public function testSanitizeTable(string $input, string $expected)`
`549`	`539`	`{`
`550`		`- if (\PHP_VERSION_ID < 80400) {`
`551`		`- $expected = $legacyExpected ?? $expected;`
`552`		`- }`
`553`		`-`
`554`	`540`	`$this->assertSame($expected, $this->createSanitizer()->sanitizeFor('table', $input));`
`555`	`541`	`}`
`556`	`542`
`@@ -564,32 +550,26 @@ public static function provideSanitizeTable(): iterable`
`564`	`550`	`[`
`565`	`551`	`'<tbody>Lorem ipsum</tbody>',`
`566`	`552`	`'<tbody></tbody>',`
`567`		`- '<tbody>Lorem ipsum</tbody>',`
`568`	`553`	`],`
`569`	`554`	`[`
`570`	`555`	`'<td>Lorem ipsum</td>',`
`571`	`556`	`'<tbody><tr><td>Lorem ipsum</td></tr></tbody>',`
`572`		`- '<td>Lorem ipsum</td>',`
`573`	`557`	`],`
`574`	`558`	`[`
`575`	`559`	`'<tfoot>Lorem ipsum</tfoot>',`
`576`	`560`	`'<tfoot></tfoot>',`
`577`		`- '<tfoot>Lorem ipsum</tfoot>',`
`578`	`561`	`],`
`579`	`562`	`[`
`580`	`563`	`'<thead>Lorem ipsum</thead>',`
`581`	`564`	`'<thead></thead>',`
`582`		`- '<thead>Lorem ipsum</thead>',`
`583`	`565`	`],`
`584`	`566`	`[`
`585`	`567`	`'<th>Lorem ipsum</th>',`
`586`	`568`	`'<tbody><tr><th>Lorem ipsum</th></tr></tbody>',`
`587`		`- '<th>Lorem ipsum</th>',`
`588`	`569`	`],`
`589`	`570`	`[`
`590`	`571`	`'<tr>Lorem ipsum</tr>',`
`591`	`572`	`'<tbody><tr></tr></tbody>',`
`592`		`- '<tr>Lorem ipsum</tr>',`
`593`	`573`	`],`
`594`	`574`	`];`
`595`	`575`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,11 +11,9 @@`
`11`	`11`
`12`	`12`	`namespace Symfony\Component\HtmlSanitizer\Tests\Parser;`
`13`	`13`
`14`		`-use PHPUnit\Framework\Attributes\RequiresPhp;`
`15`	`14`	`use PHPUnit\Framework\TestCase;`
`16`	`15`	`use Symfony\Component\HtmlSanitizer\Parser\NativeParser;`
`17`	`16`
`18`		`-#[RequiresPhp('8.4')]`
`19`	`17`	`class NativeParserTest extends TestCase`
`20`	`18`	`{`
`21`	`19`	`public function testParseValid()`