Tweaks (rename documentWhitelist to doctypeWhitelist)

DependencyInjection/Configuration.php

@@ -162,13 +162,10 @@ class Configuration implements ConfigurationInterface
                         ->end()
                     ->end()
                     ->arrayNode('xml')
+                        ->fixXmlConfig('whitelisted-doctype', 'doctype_whitelist')
                         ->addDefaultsIfNotSet()
                         ->children()
-                            ->arrayNode('document_whitelist')
-                                ->beforeNormalization()
-                                    ->ifTrue(function($v){ return !is_array($v); })
-                                    ->then(function($v){ return array($v); })
-                                ->end()
+                            ->arrayNode('doctype_whitelist')
                                 ->prototype('scalar')->end()
                             ->end()
                         ->end()

DependencyInjection/JMSSerializerExtension.php

@@ -147,7 +147,7 @@ class JMSSerializerExtension extends ConfigurableExtension
         ;
 
         $container
-            ->setParameter('jms_serializer.xml_deserialization_visitor.document_whitelist', $config['visitors']['xml']['document_whitelist'])
+            ->setParameter('jms_serializer.xml_deserialization_visitor.doctype_whitelist', $config['visitors']['xml']['doctype_whitelist'])
         ;
     }
 

Resources/config/services.xml

@@ -33,7 +33,7 @@
         <parameter key="jms_serializer.json_deserialization_visitor.class">JMS\SerializerBundle\Serializer\JsonDeserializationVisitor</parameter>
         <parameter key="jms_serializer.xml_serialization_visitor.class">JMS\SerializerBundle\Serializer\XmlSerializationVisitor</parameter>
         <parameter key="jms_serializer.xml_deserialization_visitor.class">JMS\SerializerBundle\Serializer\XmlDeserializationVisitor</parameter>
-        <parameter key="jms_serializer.xml_deserialization_visitor.document_whitelist" type="collection"></parameter>
+        <parameter key="jms_serializer.xml_deserialization_visitor.doctype_whitelist" type="collection"></parameter>
         <parameter key="jms_serializer.yaml_serialization_visitor.class">JMS\SerializerBundle\Serializer\YamlSerializationVisitor</parameter>
 
         <parameter key="jms_serializer.object_based_custom_handler.class">JMS\SerializerBundle\Serializer\Handler\ObjectBasedCustomHandler</parameter>
@@ -149,8 +149,8 @@
             <argument type="service" id="jms_serializer.naming_strategy" />
             <argument type="collection" /><!-- Custom Handlers -->
             <argument type="service" id="jms_serializer.object_constructor" />
-            <call method="setDocumentWhitelist">
-                <argument>%jms_serializer.xml_deserialization_visitor.document_whitelist%</argument>
+            <call method="setDoctypeWhitelist">
+                <argument>%jms_serializer.xml_deserialization_visitor.doctype_whitelist%</argument>
             </call>
             <tag name="jms_serializer.deserialization_visitor" format="xml" />
         </service>

Resources/doc/configuration.rst

@@ -56,7 +56,7 @@ values:
 
             visitors:
                 xml:
-                    document_whitelist:
+                    doctype_whitelist:
                         - '<!DOCTYPE authorized SYSTEM "http://some_url">' # an authorized document type for xml deserialization
 
     .. code-block :: xml
@@ -98,9 +98,8 @@ values:
 
             <visitors>
                 <xml>
-                    <document_whitelist>
-                        <!DOCTYPE authorized SYSTEM "http://some_url">
-                    </document_whitelist>
+                    <whitelisted-doctype><![CDATA[<!DOCTYPE...>]]></whitelisted-doctype>
+                    <whitelisted-doctype><![CDATA[<!DOCTYPE...>]]></whitelisted-doctype>
                 </xml>
             </visitors>
         </jms-serializer>

Serializer/XmlDeserializationVisitor.php

@@ -36,7 +36,7 @@ class XmlDeserializationVisitor extends AbstractDeserializationVisitor
     private $result;
     private $navigator;
     private $disableExternalEntities;
-    private $documentWhitelist = array();
+    private $doctypeWhitelist = array();
 
     public function __construct(PropertyNamingStrategyInterface $namingStrategy, array $customHandlers, ObjectConstructorInterface $objectConstructor, $disableExternalEntities = true)
     {
@@ -69,7 +69,7 @@ class XmlDeserializationVisitor extends AbstractDeserializationVisitor
         foreach ($dom->childNodes as $child) {
             if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
                 $internalSubset = str_replace(PHP_EOL, '', $child->internalSubset);
-                if (!in_array($internalSubset, $this->documentWhitelist, true)) {
+                if (!in_array($internalSubset, $this->doctypeWhitelist, true)) {
                     throw new \InvalidArgumentException(sprintf(
                         'The document type "%s" is not allowed. If it is safe, you may add it to the whitelist configuration.',
                         $internalSubset
@@ -313,13 +313,19 @@ class XmlDeserializationVisitor extends AbstractDeserializationVisitor
         return $this->result;
     }
 
-    public function setDocumentWhitelist(array $documentWhitelist)
+    /**
+     * @param array<string> $doctypeWhitelist
+     */
+    public function setDoctypeWhitelist(array $doctypeWhitelist)
     {
-        $this->documentWhitelist = $documentWhitelist;
+        $this->doctypeWhitelist = $doctypeWhitelist;
     }
 
-    public function getDocumentWhitelist()
+    /**
+     * @return array<string>
+     */
+    public function getDoctypeWhitelist()
     {
-        return $this->documentWhitelist;
+        return $this->doctypeWhitelist;
     }
 }

Tests/DependencyInjection/JMSSerializerExtensionTest.php

@@ -126,25 +126,17 @@ class JMSSerializerExtensionTest extends \PHPUnit_Framework_TestCase
     public function testXmlVisitorOptions($expectedOptions, $config)
     {
         $container = $this->getContainerForConfig(array($config));
-        $this->assertSame($expectedOptions, $container->get('jms_serializer.xml_deserialization_visitor')->getDocumentWhitelist());
+        $this->assertSame($expectedOptions, $container->get('jms_serializer.xml_deserialization_visitor')->getDoctypeWhitelist());
     }
 
     public function getXmlVisitorWhitelists()
     {
         $configs = array();
 
-        $configs[] = array(array('good document'), array(
-            'visitors' => array(
-                'xml' => array(
-                    'document_whitelist' => 'good document',
-                )
-            )
-        ));
-
         $configs[] = array(array('good document', 'other good document'), array(
             'visitors' => array(
                 'xml' => array(
-                    'document_whitelist' => array('good document', 'other good document'),
+                    'doctype_whitelist' => array('good document', 'other good document'),
                 )
             )
         ));

Tests/Serializer/XmlSerializationTest.php

@@ -100,7 +100,7 @@ class XmlSerializationTest extends BaseSerializationTest
             $this->getDeserializationHandlers(),
             new UnserializeObjectConstructor()
         );
-        $xmlVisitor->setDocumentWhitelist(array(
+        $xmlVisitor->setDoctypeWhitelist(array(
             '<!DOCTYPE authorized SYSTEM "http://authorized_url.dtd">',
             '<!DOCTYPE author [<!ENTITY foo SYSTEM "php://filter/read=convert.base64-encode/resource='.basename(__FILE__).'">]>'));