New in Symfony 7.2: Misc. Improvements (Part 2)


Access to the Estimated Password Strength

Contributed by
Yannick
in
#54881

The PasswordStrength constraint validates that the given password has reached
a minimum strength configured in the constraint. In Symfony 7.2, we've changed
the visibility of the estimateStrength() validator method from private to public.
This allows you to access the estimated password strength and display it, for
example, in the interface, so users can better understand the quality of their
passwords.

Simpler RequestStack Unit Testing

Contributed by
Alexander Schranz
in
#57909

When using the RequestStack in unit tests, you previously needed code like
this to configure the requests:

$requestStack = new RequestStack();
$requestStack->push(Request::create('/'));
$someCustomClass = new MyCustomClass($requestStack);

In Symfony 7.2, we've simplified this by adding a constructor to RequestStack
that accepts an array of requests:

$someCustomClass = new MyCustomClass(new RequestStack([
Request::create('/'),
]));

Default Action in the HTML Sanitizer

Contributed by
Jordi Boggiano
in
#57399

In Symfony 7.2, we've added a new defaultAction() method in the HtmlSanitizer component.
This method sets the default action for elements that are not explicitly allowed
or blocked:

use Symfony\Component\HtmlSanitizer\HtmlSanitizer;
use Symfony\Component\HtmlSanitizer\HtmlSanitizerAction;

$config = (new HtmlSanitizerConfig())
->defaultAction(HtmlSanitizerAction::Block)
->allowElement('p');

$sanitizer = new HtmlSanitizer($config);

HtmlSanitizerAction is a PHP enum with three cases: Drop (removes the element
and its children); Block (removes the element but keeps its children); and Allow
(keeps the element).

Allow Using defaultNull() on Boolean Nodes

Contributed by
Alexandre Daubois
in
#58490

The current defaultNull() of BooleanNode, used when
defining and processing configuration values, casts null values to true.
In Symfony 7.2, we've updated this method so you can define nullable boolean
values properly:

->booleanNode('enabled')->defaultNull()->end()

Better IP Address Anonymization

Contributed by
Alexandre Daubois
in
#58038

The IpUtils class includes an anonymize() method to obscure part of the IP
address for user privacy. In Symfony 7.2, we've added two new arguments to this
method so you can specify how many bytes to anonymize:

use Symfony\Component\HttpFoundation\IpUtils;

$ipv4 = '123.234.235.236';
// for IPv4 addresses, you can hide 0 to 4 bytes
$anonymousIpv4 = IpUtils::anonymize($ipv4, 3);
// $anonymousIpv4 = '123.0.0.0'

$ipv6 = '2a01:198:603:10:396e:4789:8e99:890f';
// for IPv6 addresses, you can hide 0 to 16 bytes
// (you must define the second argument (bytes to anonymize in IPv4 addresses)
// even when you are only anonymizing IPv6 addresses)
$anonymousIpv6 = IpUtils::anonymize($ipv6, 3, 10);
// $anonymousIpv6 = '2a01:198:603::'

String Configuration Node

Contributed by
Raffaele Carelle
in
#58428

When defining a configuration tree, you can use many node types for
configuration values (boolean, integers, floats, enums, arrays, etc.). However,
you couldn't define string values directly; they were specified as scalar nodes.
In Symfony 7.2, we've added a string node type and a stringNode() method,
allowing you to define configuration values as strings explicitly:

$rootNode
->children()
// ...
->stringNode('username')
->defaultValue('root')
->end()
->stringNode('password')
->defaultValue('root')
->end()
->end()
;

Security Profiler Improvements

Contributed by
Mathieu
in
#57525
, #57369
and #57692

In Symfony 7.2, the security panel of the Symfony Profiler has been improved
with several new features. First, the authenticators tab has been updated.
Previously, authenticators that didn't support the request were not shown:

Now, to make debugging easier, you can see all the application's authenticators.
If an authenticator doesn't support the request, it will be labeled as "not supported":

When using a stateful firewall, the token tab of de-authenticated users now
includes a link to the request that contained the previously authenticated user:

The authenticators tab has also been redesigned to display information more
clearly. It now also shows whether an authenticator is lazy and includes any exception
passed to the onAuthenticationFailure() method:

This is the final blog post in the New in Symfony 7.2 series. We hope you
enjoyed it and discovered some of the great new features introduced in Symfony 7.2.
Check out the Symfony minor version upgrade guide to learn how to upgrade to 7.2
from other 7.x versions. Meanwhile, we've already started working on Symfony 7.3,
which will be released at the end of May 2025.

Sponsor the Symfony project.