Access to the Estimated Password Strength

The PasswordStrength constraint validates that the given password has reached
a minimum strength configured in the constraint. In Symfony 7.2, we’ve changed
the visibility of the estimateStrength() validator method from private to public.

This allows you to access the estimated password strength and display it, for
example, in the interface, so users can better understand the quality of their
passwords.

Simpler RequestStack Unit Testing

When using the RequestStack in unit tests, you previously needed code like
this to configure the requests:

In Symfony 7.2, we’ve simplified this by adding a constructor to RequestStack
that accepts an array of requests:

Default Action in the HTML Sanitizer

In Symfony 7.2, we’ve added a new defaultAction() method in the HtmlSanitizer component.
This method sets the default action for elements that are not explicitly allowed
or blocked:

HtmlSanitizerAction is a PHP enum with three cases: Drop (removes the element
and its children); Block (removes the element but keeps its children); and Allow
(keeps the element).

Allow Using defaultNull() on Boolean Nodes

The current defaultNull() of BooleanNode, used when
defining and processing configuration values, casts null values to true.
In Symfony 7.2, we’ve updated this method so you can define nullable boolean
values properly:

Better IP Address Anonymization

The IpUtils class includes an anonymize() method to obscure part of the IP
address for user privacy. In Symfony 7.2, we’ve added two new arguments to this
method so you can specify how many bytes to anonymize:

String Configuration Node

When defining a configuration tree, you can use many node types for
configuration values (boolean, integers, floats, enums, arrays, etc.). However,
you couldn’t define string values directly; they were specified as scalar nodes.

In Symfony 7.2, we’ve added a string node type and a stringNode() method,
allowing you to define configuration values as strings explicitly:

Security Profiler Improvements

In Symfony 7.2, the security panel of the Symfony Profiler has been improved
with several new features. First, the authenticators tab has been updated.
Previously, authenticators that didn’t support the request were not shown:

Now, to make debugging easier, you can see all the application’s authenticators.
If an authenticator doesn’t support the request, it will be labeled as „not supported“:

When using a stateful firewall, the token tab of de-authenticated users now
includes a link to the request that contained the previously authenticated user:

The authenticators tab has also been redesigned to display information more
clearly. It now also shows whether an authenticator is lazy and includes any exception
passed to the onAuthenticationFailure() method:

This is the final blog post in the New in Symfony 7.2 series. We hope you
enjoyed it and discovered some of the great new features introduced in Symfony 7.2.
Check out the Symfony minor version upgrade guide to learn how to upgrade to 7.2
from other 7.x versions. Meanwhile, we’ve already started working on Symfony 7.3,
which will be released at the end of May 2025.