Access to the Estimated Password Strength

Yannick
Contributed by Yannick in #54881

The PasswordStrength constraint validates that the given password has reached a minimum strength configured in the constraint. In Symfony 7.2, we've changed the visibility of the estimateStrength() validator method from private to public.

This allows you to access the estimated password strength and display it, for example, in the interface, so users can better understand the quality of their passwords.

Simpler RequestStack Unit Testing

Alexander Schranz
Contributed by Alexander Schranz in #57909

When using the RequestStack in unit tests, you previously needed code like this to configure the requests:

1
2
3
$requestStack = new RequestStack();
$requestStack->push(Request::create('/'));
$someCustomClass = new MyCustomClass($requestStack);

In Symfony 7.2, we've simplified this by adding a constructor to RequestStack that accepts an array of requests:

1
2
3
$someCustomClass = new MyCustomClass(new RequestStack([
    Request::create('/'),
]));

Default Action in the HTML Sanitizer

Jordi Boggiano
Contributed by Jordi Boggiano in #57399

In Symfony 7.2, we've added a new defaultAction() method in the HtmlSanitizer component. This method sets the default action for elements that are not explicitly allowed or blocked:

1
2
3
4
5
6
7
8
use Symfony\Component\HtmlSanitizer\HtmlSanitizer;
use Symfony\Component\HtmlSanitizer\HtmlSanitizerAction;

$config = (new HtmlSanitizerConfig())
    ->defaultAction(HtmlSanitizerAction::Block)
    ->allowElement('p');

$sanitizer = new HtmlSanitizer($config);

HtmlSanitizerAction is a PHP enum with three cases: Drop (removes the element and its children); Block (removes the element but keeps its children); and Allow (keeps the element).

Allow Using defaultNull() on Boolean Nodes

Alexandre Daubois
Contributed by Alexandre Daubois in #58490

The current defaultNull() of BooleanNode, used when defining and processing configuration values, casts null values to true. In Symfony 7.2, we've updated this method so you can define nullable boolean values properly:

1
->booleanNode('enabled')->defaultNull()->end()

Better IP Address Anonymization

Alexandre Daubois
Contributed by Alexandre Daubois in #58038

The IpUtils class includes an anonymize() method to obscure part of the IP address for user privacy. In Symfony 7.2, we've added two new arguments to this method so you can specify how many bytes to anonymize:

1
2
3
4
5
6
7
8
9
10
11
12
13
use Symfony\Component\HttpFoundation\IpUtils;

$ipv4 = '123.234.235.236';
// for IPv4 addresses, you can hide 0 to 4 bytes
$anonymousIpv4 = IpUtils::anonymize($ipv4, 3);
// $anonymousIpv4 = '123.0.0.0'

$ipv6 = '2a01:198:603:10:396e:4789:8e99:890f';
// for IPv6 addresses, you can hide 0 to 16 bytes
// (you must define the second argument (bytes to anonymize in IPv4 addresses)
// even when you are only anonymizing IPv6 addresses)
$anonymousIpv6 = IpUtils::anonymize($ipv6, 3, 10);
// $anonymousIpv6 = '2a01:198:603::'

String Configuration Node

Raffaele Carelle
Contributed by Raffaele Carelle in #58428

When defining a configuration tree, you can use many node types for configuration values (boolean, integers, floats, enums, arrays, etc.). However, you couldn't define string values directly; they were specified as scalar nodes.

In Symfony 7.2, we've added a string node type and a stringNode() method, allowing you to define configuration values as strings explicitly:

1
2
3
4
5
6
7
8
9
10
11
$rootNode
    ->children()
        // ...
        ->stringNode('username')
            ->defaultValue('root')
        ->end()
        ->stringNode('password')
            ->defaultValue('root')
        ->end()
    ->end()
;

Security Profiler Improvements

Mathieu
Contributed by Mathieu in #57525 , #57369 and #57692

In Symfony 7.2, the security panel of the Symfony Profiler has been improved with several new features. First, the authenticators tab has been updated. Previously, authenticators that didn't support the request were not shown:

Symfony security profiler panel with no authenticator shown

Now, to make debugging easier, you can see all the application's authenticators. If an authenticator doesn't support the request, it will be labeled as "not supported":

Symfony 7.2 security profiler panel with all authenticators shown

When using a stateful firewall, the token tab of de-authenticated users now includes a link to the request that contained the previously authenticated user:

Symfony 7.2 security profiler panel with a link to previous authenticated user

The authenticators tab has also been redesigned to display information more clearly. It now also shows whether an authenticator is lazy and includes any exception passed to the onAuthenticationFailure() method:

Symfony 7.2 security profiler panel with more and redesigned information in the authenticators tab

This is the final blog post in the New in Symfony 7.2 series. We hope you enjoyed it and discovered some of the great new features introduced in Symfony 7.2. Check out the Symfony minor version upgrade guide to learn how to upgrade to 7.2 from other 7.x versions. Meanwhile, we've already started working on Symfony 7.3, which will be released at the end of May 2025.

Published in #Living on the edge