symfony
diff --git a/‎.github/workflows/psalm.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/psalm.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎UPGRADE-7.4.md
Lines changed: 10 additions & 2 deletions b/‎UPGRADE-7.4.md
Lines changed: 10 additions & 2 deletions
diff --git a/‎src/Symfony/Component/HtmlSanitizer/CHANGELOG.md
Lines changed: 8 additions & 0 deletions b/‎src/Symfony/Component/HtmlSanitizer/CHANGELOG.md
Lines changed: 8 additions & 0 deletions
diff --git a/‎src/Symfony/Component/HtmlSanitizer/HtmlSanitizer.php
Lines changed: 9 additions & 12 deletions b/‎src/Symfony/Component/HtmlSanitizer/HtmlSanitizer.php
Lines changed: 9 additions & 12 deletions
diff --git a/‎src/Symfony/Component/HtmlSanitizer/Parser/MastermindsParser.php
Lines changed: 6 additions & 1 deletion b/‎src/Symfony/Component/HtmlSanitizer/Parser/MastermindsParser.php
Lines changed: 6 additions & 1 deletion
diff --git a/‎src/Symfony/Component/HtmlSanitizer/Parser/NativeParser.php
Lines changed: 33 additions & 0 deletions b/‎src/Symfony/Component/HtmlSanitizer/Parser/NativeParser.php
Lines changed: 33 additions & 0 deletions
diff --git a/‎src/Symfony/Component/HtmlSanitizer/Parser/ParserInterface.php
Lines changed: 3 additions & 1 deletion b/‎src/Symfony/Component/HtmlSanitizer/Parser/ParserInterface.php
Lines changed: 3 additions & 1 deletion
diff --git a/‎src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerAllTest.php
Lines changed: 59 additions & 15 deletions b/‎src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerAllTest.php
Lines changed: 59 additions & 15 deletions
diff --git a/‎src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerCustomTest.php
Lines changed: 4 additions & 4 deletions b/‎src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerCustomTest.php
Lines changed: 4 additions & 4 deletions
diff --git a/‎src/Symfony/Component/HtmlSanitizer/Tests/Parser/MastermindsParserTest.php
Lines changed: 4 additions & 0 deletions b/‎src/Symfony/Component/HtmlSanitizer/Tests/Parser/MastermindsParserTest.php
Lines changed: 4 additions & 0 deletions
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-24.04
 
     env:
-      php-version: '8.2'
+      php-version: '8.4'
     steps:
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
 
@@ -16,7 +16,7 @@ Cache
 Console
 -------
 
- * Deprecate `Symfony\Component\Console\Application::add()` in favor of `Symfony\Component\Console\Application::addCommand()`
+ * Deprecate `Symfony\Component\Console\Application::add()` in favor of `addCommand()`
 
 DependencyInjection
 -------------------
@@ -32,7 +32,15 @@ DoctrineBridge
 FrameworkBundle
 ---------------
 
- * Deprecate `Symfony\Bundle\FrameworkBundle\Console\Application::add()` in favor of `Symfony\Bundle\FrameworkBundle\Console\Application::addCommand()`
+ * Deprecate `Symfony\Bundle\FrameworkBundle\Console\Application::add()` in favor of `addCommand()`
+
+HtmlSanitizer
+-------------
+
+ * Use the native HTML5 parser when using PHP 8.4+
+ * Deprecate `MastermindsParser`; use `NativeParser` instead
+ * [BC BREAK] `ParserInterface::parse()` can now return `\Dom\Node|\DOMNode|null` instead of just `\DOMNode|null`
+ * Add argument `$context` to `ParserInterface::parse()`
 
 HttpClient
 ----------
 
@@ -1,6 +1,14 @@
 CHANGELOG
 =========
 
+7.4
+---
+
+ * Use the native HTML5 parser when using PHP 8.4+
+ * Deprecate `MastermindsParser`; use `NativeParser` instead
+ * [BC BREAK] `ParserInterface::parse()` can now return `\Dom\Node|\DOMNode|null` instead of just `\DOMNode|null`
+ * Add argument `$context` to `ParserInterface::parse()`
+
 7.2
 ---
 
 
@@ -12,6 +12,7 @@
 namespace Symfony\Component\HtmlSanitizer;
 
 use Symfony\Component\HtmlSanitizer\Parser\MastermindsParser;
+use Symfony\Component\HtmlSanitizer\Parser\NativeParser;
 use Symfony\Component\HtmlSanitizer\Parser\ParserInterface;
 use Symfony\Component\HtmlSanitizer\Reference\W3CReference;
 use Symfony\Component\HtmlSanitizer\TextSanitizer\StringSanitizer;
@@ -34,24 +35,20 @@ public function __construct(
         ?ParserInterface $parser = null,
     ) {
         $this->config = $config;
-        $this->parser = $parser ?? new MastermindsParser();
+        $this->parser = $parser ?? (\PHP_VERSION_ID < 80400 ? new MastermindsParser() : new NativeParser());
     }
 
     public function sanitize(string $input): string
     {
-        return $this->sanitizeWithContext(W3CReference::CONTEXT_BODY, $input);
+        return $this->sanitizeFor(W3CReference::CONTEXT_BODY, $input);
     }
 
     public function sanitizeFor(string $element, string $input): string
     {
-        return $this->sanitizeWithContext(
-            W3CReference::CONTEXTS_MAP[StringSanitizer::htmlLower($element)] ?? W3CReference::CONTEXT_BODY,
-            $input
-        );
-    }
+        $element = StringSanitizer::htmlLower($element);
+        $context = W3CReference::CONTEXTS_MAP[$element] ?? W3CReference::CONTEXT_BODY;
+        $element = isset(W3CReference::BODY_ELEMENTS[$element]) ? $element : $context;
 
-    private function sanitizeWithContext(string $context, string $input): string
-    {
         // Text context: early return with HTML encoding
         if (W3CReference::CONTEXT_TEXT === $context) {
             return StringSanitizer::encodeHtmlEntities($input);
@@ -71,11 +68,11 @@ private function sanitizeWithContext(string $context, string $input): string
             return '';
         }
 
-        // Remove NULL character
-        $input = str_replace(\chr(0), '', $input);
+        // Remove NULL character and HTML entities for null byte
+        $input = str_replace([\chr(0), '&#0;', '&#x00;', '&#X00;', '&#000;'], '�', $input);
 
         // Parse as HTML
-        if (!$parsed = $this->parser->parse($input)) {
+        if ('' === trim($input) || !$parsed = $this->parser->parse($input, $element)) {
             return '';
         }
 
 
@@ -14,15 +14,20 @@
 use Masterminds\HTML5;
 
 /**
+ * @deprecated since Symfony 7.4, use `NativeParser` instead
+ *
  * @author Titouan Galopin <galopintitouan@gmail.com>
  */
 final class MastermindsParser implements ParserInterface
 {
     public function __construct(private array $defaultOptions = [])
     {
+        if (\PHP_VERSION_ID >= 80400) {
+            trigger_deprecation('symfony/html-sanitizer', '7.4', '"%s" is deprecated since Symfony 7.4 and will be removed in 8.0. Use the "NativeParser" instead.', self::class);
+        }
     }
 
-    public function parse(string $html): ?\DOMNode
+    public function parse(string $html, string $context = 'body'): ?\DOMNode
     {
         return (new HTML5($this->defaultOptions))->loadHTMLFragment($html);
     }
 
@@ -0,0 +1,33 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\HtmlSanitizer\Parser;
+
+/**
+ * Parser using PHP 8.4's new Dom API.
+ */
+final class NativeParser implements ParserInterface
+{
+    public function __construct()
+    {
+        if (\PHP_VERSION_ID < 80400) {
+            throw new \LogicException(self::class.' requires PHP 8.4 or higher.');
+        }
+    }
+
+    public function parse(string $html, string $context = 'body'): ?\Dom\Node
+    {
+        $document = @\Dom\HTMLDocument::createFromString(\sprintf('<!DOCTYPE html><%s>%s</%1$s>', $context, $html));
+        $element = $document->getElementsByTagName($context)->item(0);
+
+        return $element->hasChildNodes() ? $element : null;
+    }
+}
@@ -22,6 +22,8 @@ interface ParserInterface
      * Parse a given string and returns a DOMNode tree.
      *
      * This method must return null if the string cannot be parsed as HTML.
+     *
+     * @param string $context The name of the context element in which the HTML is parsed
      */
-    public function parse(string $html): ?\DOMNode;
+    public function parse(string $html/* , string $context = 'body' */): \Dom\Node|\DOMNode|null;
 }
@@ -64,8 +64,11 @@ public static function provideSanitizeHead()
     }
 
     #[DataProvider('provideSanitizeBody')]
-    public function testSanitizeBody(string $input, string $expected)
+    public function testSanitizeBody(string $input, string $expected, ?string $legacyExpected = null)
     {
+        if (\PHP_VERSION_ID < 80400) {
+            $expected = $legacyExpected ?? $expected;
+        }
         $this->assertSame($expected, $this->createSanitizer()->sanitize($input));
     }
 
@@ -83,6 +86,7 @@ public static function provideSanitizeBody()
             ],
             [
                 '< Hello',
+                '&lt; Hello',
                 ' Hello',
             ],
             [
@@ -127,6 +131,7 @@ public static function provideSanitizeBody()
             ],
             [
                 '<<a href="javascript:evil"/>a href="javascript:evil"/>',
+                '&lt;<a>a href&#61;&#34;javascript:evil&#34;/&gt;</a>',
                 '<a>a href&#61;&#34;javascript:evil&#34;/&gt;</a>',
             ],
             [
@@ -163,10 +168,12 @@ public static function provideSanitizeBody()
             ],
             [
                 '<<img src="javascript:evil"/>iframe src="javascript:evil"/>',
+                '&lt;<img />iframe src&#61;&#34;javascript:evil&#34;/&gt;',
                 '<img />iframe src&#61;&#34;javascript:evil&#34;/&gt;',
             ],
             [
                 '<<img src="javascript:evil"/>img src="javascript:evil"/>',
+                '&lt;<img />img src&#61;&#34;javascript:evil&#34;/&gt;',
                 '<img />img src&#61;&#34;javascript:evil&#34;/&gt;',
             ],
             [
@@ -211,10 +218,12 @@ public static function provideSanitizeBody()
             ],
             [
                 '<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>',
+                '<img />',
                 '<img src="&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041" />',
             ],
             [
                 '<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>',
+                '<img />',
                 '<img src="&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29" />',
             ],
             [
@@ -233,10 +242,6 @@ public static function provideSanitizeBody()
                 '<svg/onload=alert(\'XSS\')>',
                 '',
             ],
-            [
-                '<BODY BACKGROUND="javascript:alert(\'XSS\')">',
-                '<body></body>',
-            ],
             [
                 '<BGSOUND SRC="javascript:alert(\'XSS\');">',
                 '<bgsound></bgsound>',
@@ -350,10 +355,6 @@ public static function provideSanitizeBody()
                 'Lorem ipsum <br>dolor sit amet <br />consectetur adipisicing.',
                 'Lorem ipsum <br />dolor sit amet <br />consectetur adipisicing.',
             ],
-            [
-                '<caption>Lorem ipsum</caption>',
-                '<caption>Lorem ipsum</caption>',
-            ],
             [
                 '<code>Lorem ipsum</code>',
                 '<code>Lorem ipsum</code>',
@@ -529,41 +530,84 @@ public static function provideSanitizeBody()
             ],
             [
                 '<table>Lorem ipsum</table>',
+                'Lorem ipsum<table></table>',
                 '<table>Lorem ipsum</table>',
             ],
+            [
+                '<ul>Lorem ipsum</ul>',
+                '<ul>Lorem ipsum</ul>',
+            ],
+        ];
+
+        foreach ($cases as $case) {
+            yield $case[0] => $case;
+        }
+    }
+
+    #[DataProvider('provideSanitizeTable')]
+    public function testSanitizeTable(string $input, string $expected, ?string $legacyExpected = null)
+    {
+        if (\PHP_VERSION_ID < 80400) {
+            $expected = $legacyExpected ?? $expected;
+        }
+
+        $this->assertSame($expected, $this->createSanitizer()->sanitizeFor('table', $input));
+    }
+
+    public static function provideSanitizeTable(): iterable
+    {
+        return [
+            [
+                '<caption>Lorem ipsum</caption>',
+                '<caption>Lorem ipsum</caption>',
+            ],
             [
                 '<tbody>Lorem ipsum</tbody>',
+                '<tbody></tbody>',
                 '<tbody>Lorem ipsum</tbody>',
             ],
             [
                 '<td>Lorem ipsum</td>',
+                '<tbody><tr><td>Lorem ipsum</td></tr></tbody>',
                 '<td>Lorem ipsum</td>',
             ],
             [
                 '<tfoot>Lorem ipsum</tfoot>',
+                '<tfoot></tfoot>',
                 '<tfoot>Lorem ipsum</tfoot>',
             ],
             [
                 '<thead>Lorem ipsum</thead>',
+                '<thead></thead>',
                 '<thead>Lorem ipsum</thead>',
             ],
             [
                 '<th>Lorem ipsum</th>',
+                '<tbody><tr><th>Lorem ipsum</th></tr></tbody>',
                 '<th>Lorem ipsum</th>',
             ],
             [
                 '<tr>Lorem ipsum</tr>',
+                '<tbody><tr></tr></tbody>',
                 '<tr>Lorem ipsum</tr>',
             ],
+        ];
+    }
+
+    #[DataProvider('provideSanitizeHtml')]
+    public function testSanitizeHtml(string $input, string $expected)
+    {
+        $this->assertSame($expected, $this->createSanitizer()->sanitizeFor('html', $input));
+    }
+
+    public static function provideSanitizeHtml(): iterable
+    {
+        return [
             [
-                '<ul>Lorem ipsum</ul>',
-                '<ul>Lorem ipsum</ul>',
+                '<BODY BACKGROUND="javascript:alert(\'XSS\')">',
+                '<body></body>',
             ],
         ];
-
-        foreach ($cases as $case) {
-            yield $case[0] => $case;
-        }
     }
 
     public function testUnlimitedLength()
 
@@ -25,8 +25,8 @@ public function testSanitizeForHead()
         ;
 
         $this->assertSame(
-            ' world',
-            (new HtmlSanitizer($config))->sanitizeFor('head', '<div style="width: 100px">Hello</div> world')
+            '',
+            (new HtmlSanitizer($config))->sanitizeFor('head', '<div style="width: 100px">Hello world</div>')
         );
     }
 
@@ -65,8 +65,8 @@ public function testSanitizeDeepNestedString()
 
     public function testSanitizeNullByte()
     {
-        $this->assertSame('Null byte', $this->sanitize(new HtmlSanitizerConfig(), "Null byte\0"));
-        $this->assertSame('Null byte', $this->sanitize(new HtmlSanitizerConfig(), 'Null byte&#0;'));
+        $this->assertSame('Null byte�', $this->sanitize(new HtmlSanitizerConfig(), "Null byte\0"));
+        $this->assertSame('Null byte�', $this->sanitize(new HtmlSanitizerConfig(), 'Null byte&#0;'));
     }
 
     public function testSanitizeDefaultBody()
 
@@ -11,9 +11,13 @@
 
 namespace Symfony\Component\HtmlSanitizer\Tests\Parser;
 
+use PHPUnit\Framework\Attributes\Group;
+use PHPUnit\Framework\Attributes\IgnoreDeprecations;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\HtmlSanitizer\Parser\MastermindsParser;
 
+#[IgnoreDeprecations]
+#[Group('legacy')]
 class MastermindsParserTest extends TestCase
 {
     public function testParseValid()
Original file line number	Diff line number	Diff line change
`@@ -14,15 +14,20 @@`
`14`	`14`	`use Masterminds\HTML5;`
`15`	`15`
`16`	`16`	`/**`
	`17`	+ * @deprecated since Symfony 7.4, use `NativeParser` instead
	`18`	`+ *`
`17`	`19`	`* @author Titouan Galopin <galopintitouan@gmail.com>`
`18`	`20`	`*/`
`19`	`21`	`final class MastermindsParser implements ParserInterface`
`20`	`22`	`{`
`21`	`23`	`public function __construct(private array $defaultOptions = [])`
`22`	`24`	`{`
	`25`	`+ if (\PHP_VERSION_ID >= 80400) {`
	`26`	`+ trigger_deprecation('symfony/html-sanitizer', '7.4', '"%s" is deprecated since Symfony 7.4 and will be removed in 8.0. Use the "NativeParser" instead.', self::class);`
	`27`	`+ }`
`23`	`28`	`}`
`24`	`29`
`25`		`- public function parse(string $html): ?\DOMNode`
	`30`	`+ public function parse(string $html, string $context = 'body'): ?\DOMNode`
`26`	`31`	`{`
`27`	`32`	`return (new HTML5($this->defaultOptions))->loadHTMLFragment($html);`
`28`	`33`	`}`
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,8 @@ interface ParserInterface`
`22`	`22`	`* Parse a given string and returns a DOMNode tree.`
`23`	`23`	`*`
`24`	`24`	`* This method must return null if the string cannot be parsed as HTML.`
	`25`	`+ *`
	`26`	`+ * @param string $context The name of the context element in which the HTML is parsed`
`25`	`27`	`*/`
`26`		`- public function parse(string $html): ?\DOMNode;`
	`28`	`+ public function parse(string $html/* , string $context = 'body' */): \Dom\Node\|\DOMNode\|null;`
`27`	`29`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,8 +25,8 @@ public function testSanitizeForHead()`
`25`	`25`	`;`
`26`	`26`
`27`	`27`	`$this->assertSame(`
`28`		`- ' world',`
`29`		`- (new HtmlSanitizer($config))->sanitizeFor('head', '<div style="width: 100px">Hello</div> world')`
	`28`	`+ '',`
	`29`	`+ (new HtmlSanitizer($config))->sanitizeFor('head', '<div style="width: 100px">Hello world</div>')`
`30`	`30`	`);`
`31`	`31`	`}`
`32`	`32`
`@@ -65,8 +65,8 @@ public function testSanitizeDeepNestedString()`
`65`	`65`
`66`	`66`	`public function testSanitizeNullByte()`
`67`	`67`	`{`
`68`		`- $this->assertSame('Null byte', $this->sanitize(new HtmlSanitizerConfig(), "Null byte\0"));`
`69`		`- $this->assertSame('Null byte', $this->sanitize(new HtmlSanitizerConfig(), 'Null byte'));`
	`68`	`+ $this->assertSame('Null byte�', $this->sanitize(new HtmlSanitizerConfig(), "Null byte\0"));`
	`69`	`+ $this->assertSame('Null byte�', $this->sanitize(new HtmlSanitizerConfig(), 'Null byte'));`
`70`	`70`	`}`
`71`	`71`
`72`	`72`	`public function testSanitizeDefaultBody()`