Merge branch '6.4' into 7.3

nicolas-grekas · nicolas-grekas · commit 8740fc48979f · 2025-08-12T12:34:03.000+02:00
* 6.4:
  [GitHub] Update .github/PULL_REQUEST_TEMPLATE.md to remove SF 7.2 as it's not supported anymore
  [WebProfilerBundle] Fix toolbar not rendering after replacing it
  [HtmlSanitizer] Fix force_attributes not replacing existing attribute in initial data
diff --git a/Tests/HtmlSanitizerCustomTest.php b/Tests/HtmlSanitizerCustomTest.php
@@ -232,10 +232,17 @@ public function testForceAttribute()
     {
         $config = (new HtmlSanitizerConfig())
             ->allowElement('div')
+            ->allowElement('img', '*')
             ->allowElement('a', ['href'])
             ->forceAttribute('a', 'rel', 'noopener noreferrer')
+            ->forceAttribute('img', 'loading', 'lazy')
         ;
 
+        $this->assertSame(
+            '<img title="My image" src="https://example.com/image.png" loading="lazy" />',
+            $this->sanitize($config, '<img title="My image" src="https://example.com/image.png" loading="eager" onerror="alert(\'1234\')" />')
+        );
+
         $this->assertSame(
             '<a rel="noopener noreferrer">Hello</a> world',
             $this->sanitize($config, '<a>Hello</a> world')
@@ -250,6 +257,11 @@ public function testForceAttribute()
             '<div>Hello</div> world',
             $this->sanitize($config, '<div style="width: 100px">Hello</div> world')
         );
+
+        $this->assertSame(
+            '<a href="https://symfony.com" rel="noopener noreferrer">Hello</a> world',
+            $this->sanitize($config, '<a href="https://symfony.com" rel="noopener">Hello</a> world')
+        );
     }
 
     public function testForceHttps()
diff --git a/Visitor/DomVisitor.php b/Visitor/DomVisitor.php
@@ -129,7 +129,7 @@ private function enterNode(string $domNodeName, \DOMNode $domNode, Cursor $curso
 
         // Force configured attributes
         foreach ($this->forcedAttributes[$domNodeName] ?? [] as $attribute => $value) {
-            $node->setAttribute($attribute, $value);
+            $node->setAttribute($attribute, $value, true);
         }
 
         $cursor->node->addChild($node);
diff --git a/Visitor/Node/Node.php b/Visitor/Node/Node.php
@@ -56,10 +56,10 @@ public function getAttribute(string $name): ?string
         return $this->attributes[$name] ?? null;
     }
 
-    public function setAttribute(string $name, ?string $value): void
+    public function setAttribute(string $name, ?string $value, bool $override = false): void
     {
         // Always use only the first declaration (ease sanitization)
-        if (!\array_key_exists($name, $this->attributes)) {
+        if ($override || !\array_key_exists($name, $this->attributes)) {
             $this->attributes[$name] = $value;
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -129,7 +129,7 @@ private function enterNode(string $domNodeName, \DOMNode $domNode, Cursor $curso`
`129`	`129`
`130`	`130`	`// Force configured attributes`
`131`	`131`	`foreach ($this->forcedAttributes[$domNodeName] ?? [] as $attribute => $value) {`
`132`		`- $node->setAttribute($attribute, $value);`
	`132`	`+ $node->setAttribute($attribute, $value, true);`
`133`	`133`	`}`
`134`	`134`
`135`	`135`	`$cursor->node->addChild($node);`
Original file line number	Diff line number	Diff line change
`@@ -56,10 +56,10 @@ public function getAttribute(string $name): ?string`
`56`	`56`	`return $this->attributes[$name] ?? null;`
`57`	`57`	`}`
`58`	`58`
`59`		`- public function setAttribute(string $name, ?string $value): void`
	`59`	`+ public function setAttribute(string $name, ?string $value, bool $override = false): void`
`60`	`60`	`{`
`61`	`61`	`// Always use only the first declaration (ease sanitization)`
`62`		`- if (!\array_key_exists($name, $this->attributes)) {`
	`62`	`+ if ($override \|\| !\array_key_exists($name, $this->attributes)) {`
`63`	`63`	`$this->attributes[$name] = $value;`
`64`	`64`	`}`
`65`	`65`	`}`