This PR was merged into the 3.4 branch.
Discussion
----------
[FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine
Based on #88
Commits
-------
ab4d05358c Fix XSS issues in the form theme of the PHP templating engine
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Add a separator in the remember me cookie hash
Based on #89
Commits
-------
a29ce2817c [Security] Add a separator in the remember me cookie hash
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpFoundation] reject invalid method override
Based on #86
Commits
-------
944e60f083 [HttpFoundation] reject invalid method override
This PR was merged into the 3.4 branch.
Discussion
----------
[Form] Workaround for \DateInterval::createFromDateString()
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
This patch makes test `Symfony\Component\Form\Tests\Extension\Core\Type\DateIntervalTypeTest::testSubmitNullUsesDateEmptyData()` pass in PHP 7.2.17 and 7.3.4
PHP bug reference : https://bugs.php.net/bug.php?id=77896
See also : https://3v4l.org/sQjh2
Commits
-------
54247ec05f Workaround for \DateInterval::createFromDateString()
This PR was submitted for the master branch but it was merged into the 3.4 branch instead (closes#31099).
Discussion
----------
Missing Lithuanian translations added.
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #
| License | MIT
| Doc PR | symfony/symfony-docs
Missing Lithuanian translations for validator component.
Commits
-------
1c9a9cd9e0 Missing Lithuanian translations added to validator component.
This PR was merged into the 3.4 branch.
Discussion
----------
Skip testing the phpunit-bridge on not-master branches when $deps is empty
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Tests are not in sync with the autoloaded code on these jobs.
The bridge is still tested on deps=low/high jobs + master
Commits
-------
b0ee192aaa Skip testing the phpunit-bridge on not-master branches when $deps is empty
This PR was merged into the 3.4 branch.
Discussion
----------
[DI] Overriding services autowired by name under _defaults bind not working
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #28326
| License | MIT
This is an implementation of ideas and suggestions of @nicolas-grekas and @GuilhemN.
Commits
-------
7e805eae2b more tests
35a40ace6f [DI] Fixes: #28326 - Overriding services autowired by name under _defaults bind not working
This PR was submitted for the 4.2 branch but it was merged into the 3.4 branch instead (closes#31076).
Discussion
----------
[HttpKernel] Fixed LoggerDataCollector crashing on empty file
| Q | A
| ------------- | ---
| Branch? | 4.2
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #31050
| License | MIT
This PR adds a check to the LoggerDataCollector if there's acutal some content in the log file.
Commits
-------
291c73a290 Catch empty deprecation.log silently (fixes#31050)
This PR was merged into the 3.4 branch.
Discussion
----------
Optimize SVGs
| Q | A
| ------------- | ---
| Branch? | 3.4 <!-- see below -->
| Bug fix? | yes
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | / <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | / <!-- required for new features -->
Used [svgo](https://github.com/svg/svgo) to optimize the svgs. I kept the `viewBox` attribute to keep the aspects when SVGs are rescaled.
I also added `insert_final_newline = false` to the `.editorconfig` file because the newlines are removed from the SVGs and there's only one line left.
Commits
-------
4614cea9d2 Optimize SVGs
This PR was merged into the 3.4 branch.
Discussion
----------
property normalizer should also pass format and context to isAllowedAttribute
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | found while working on https://github.com/symfony/symfony/pull/30888
| License | MIT
| Doc PR | -
the context and format are optional parameters to `isAllowedAttribute`, but should be forwarded. due to this omission, the PropertyNormalizer was ignoring the 'attributes' context option (and does in version 4 also ignore the 'ignore_attributes' context option - that one is a property on the normalizer class in version 3 and therefore not ignored here)
Commits
-------
13e2fb735d property normalizer should also pass format and context to isAllowedAttribute
This PR was squashed before being merged into the 3.4 branch (closes#31074).
Discussion
----------
minor: the meaning of the data breach was not correct
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | none <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | none <!-- required for new features -->
<!--
Write a short README entry for your feature/bugfix here (replace this comment block.)
This will help people understand your PR and can be used as a start of the Doc PR.
Additionally:
- Bug fixes must be submitted against the lowest branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
-->
It seems that the french translation was wrong as the phrasing suggested that the data breach came from the current application/website.
Changing as discussed here: https://github.com/symfony/symfony/pull/31053#discussion_r274310683
Commits
-------
97ac9bae11 minor: the meaning of the data breach was not correct
This PR was merged into the 3.4 branch.
Discussion
----------
CS Fixes: Not double split with one array argument
| Q | A
| ------------- | ---
| Branch? | 3.4 (master from #31063)
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | None
| License | MIT
| Doc PR | None
Keep to use the same CS in all the Symfony code base.
Use:
```php
$resolver->setDefaults([
'compound' => false
]);
```
Instead of:
```php
$resolver->setDefaults(
[
'compound' => false,
]
);
```
Keep the double split when the method has two or more arguments.
I miss a PSR with this rule.
Commits
-------
a56bf552ad CS Fixes: Not double split with one array argument
This PR was squashed before being merged into the 3.4 branch (closes#31059).
Discussion
----------
Show more accurate message in profiler when missing stopwatch
| Q | A
| ------------- | ---
| Branch? | 3.4+
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #31056
| License | MIT
| Doc PR | ~
This adds a message to the profiler if the stopwatch component is not installed, instead of suggesting to check if debug is enabled (even if it is enabled).
I had to add a method in the collector to expose the value collected, which in theory adds a feature. Is there perhaps a way to expose this collected data _without_ a "BC break"? I don't think it breaks anything, though it does make the dependencies on the http-kernel a bit strict. The other solution is to ignore if it's null and only act if it's a boolean (feature detection).
Commits
-------
326aa86d6a Show more accurate message in profiler when missing stopwatch
Keep to use the same CS in all the Symfony code base.
Use:
```php
$resolver->setDefaults([
'compound' => false
]);
```
Instead of:
```php
$resolver->setDefaults(
[
'compound' => false,
]
);
```
Keep the double split when the method has two or more arguments.
I miss a PSR with this rule.
This PR was merged into the 3.4 branch.
Discussion
----------
Remove redundant animation prefixes
| Q | A
| ------------- | ---
| Branch? | 3.4 <!-- see below -->
| Bug fix? | yes
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | / <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | / <!-- required for new features -->
Like https://github.com/symfony/symfony/pull/31055, a small cleanup of CSS. CSS animations can be used safely without any prefixes.
Commits
-------
3655bcfaf7 Remove redundant animation prefixes
This PR was submitted for the 4.2 branch but it was merged into the 3.4 branch instead (closes#31055).
Discussion
----------
Remove redundant `box-sizing` prefixes
| Q | A
| ------------- | ---
| Branch? | 4.2 <!-- see below -->
| Bug fix? | no
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | / <!-- please add some, will be required by reviewers -->
| Fixed tickets | / <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | / <!-- required for new features -->
The `-webkit-` and `-moz-` prefixes are redundant and Symfony is not prefixing it on other places in the file, eg:
2243bf5bc1/src/Symfony/Bundle/WebProfilerBundle/Resources/views/Profiler/toolbar.css.twig (L395-L401)
Not sure what branch I should target for PRs like these, just let me know if I need to change anything.
Greetings,
Martijn from the [Bootstrap](https://github.com/orgs/twbs/people) team
Commits
-------
0cf3227011 Remove redundant `box-sizing` prefixes
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Rework firewall's access denied rule
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ~~#30099~~, #28229
| License | MIT
| Doc PR |
Follow tickets provided above to reproduce bugs. (there are also some project examples)
~~In addition, I'm looking for someone who knows an answer to [this](https://github.com/symfony/symfony/issues/30099#issuecomment-468693492) regarding rework in this PR.~~
Commits
-------
5790859275 Rework firewall access denied rule
This PR was submitted for the master branch but it was merged into the 3.4 branch instead (closes#31012).
Discussion
----------
[Process] Fix missing $extraDirs when open_basedir returns
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? |no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #31010
| License | MIT
Fix missing $extraDirs when open_basedir returns
Commits
-------
e238c893e9 Fix missing $extraDirs when open_basedir returns
This PR was squashed before being merged into the 3.4 branch (closes#30907).
Discussion
----------
[Serializer] Respect ignored attributes in cache key of normalizer
EUFOSSA
| Q | A
| ------------- | ---
| Branch | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Do not share the attributes cache in object normalizer when using a different setting for the ignoredAttributes setting.
In Symfony 4.2, the setter is deprecated in favor of the ignored_attibutes option in the $context. When merging this up, we will however still need to respect the field as well for BC, the cache key does not look at the default context (apart from the deprecated modifiers, the default context is immutable)
There might be performance regression for some use cases, but also could be a performance improvement when using 'attributes' in the context with lists of objects of the same class.
Commits
-------
926d228877 [Serializer] Respect ignored attributes in cache key of normalizer