symfony
diff --git a/‎src/Symfony/Component/HtmlSanitizer/Tests/TextSanitizer/UrlSanitizerTest.php
Lines changed: 3 additions & 3 deletions b/‎src/Symfony/Component/HtmlSanitizer/Tests/TextSanitizer/UrlSanitizerTest.php
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/Symfony/Component/HtmlSanitizer/TextSanitizer/UrlSanitizer.php
Lines changed: 16 additions & 0 deletions b/‎src/Symfony/Component/HtmlSanitizer/TextSanitizer/UrlSanitizer.php
Lines changed: 16 additions & 0 deletions
@@ -568,8 +568,8 @@ public static function provideParse(): iterable
             'http://你好你好' => ['scheme' => 'http', 'host' => '你好你好'],
             'https://faß.ExAmPlE/' => ['scheme' => 'https', 'host' => 'faß.ExAmPlE'],
             'sc://faß.ExAmPlE/' => ['scheme' => 'sc', 'host' => 'faß.ExAmPlE'],
-            'http://%30%78%63%30%2e%30%32%35%30.01' => ['scheme' => 'http', 'host' => '%30%78%63%30%2e%30%32%35%30.01'],
-            'http://%30%78%63%30%2e%30%32%35%30.01%2e' => ['scheme' => 'http', 'host' => '%30%78%63%30%2e%30%32%35%30.01%2e'],
+            'http://%30%78%63%30%2e%30%32%35%30.01' => null,
+            'http://%30%78%63%30%2e%30%32%35%30.01%2e' => null,
             'http://０Ｘｃ０．０２５０．０１' => ['scheme' => 'http', 'host' => '０Ｘｃ０．０２５０．０１'],
             'http://./' => ['scheme' => 'http', 'host' => '.'],
             'http://../' => ['scheme' => 'http', 'host' => '..'],
@@ -689,7 +689,7 @@ public static function provideParse(): iterable
             'urn:ietf:rfc:2648' => ['scheme' => 'urn', 'host' => null],
             'tag:joe@example.org,2001:foo/bar' => ['scheme' => 'tag', 'host' => null],
             'non-special://%E2%80%A0/' => ['scheme' => 'non-special', 'host' => '%E2%80%A0'],
-            'non-special://H%4fSt/path' => ['scheme' => 'non-special', 'host' => 'H%4fSt'],
+            'non-special://H%4fSt/path' => null,
             'non-special://[1:2:0:0:5:0:0:0]/' => ['scheme' => 'non-special', 'host' => '[1:2:0:0:5:0:0:0]'],
             'non-special://[1:2:0:0:0:0:0:3]/' => ['scheme' => 'non-special', 'host' => '[1:2:0:0:0:0:0:3]'],
             'non-special://[1:2::3]:80/' => ['scheme' => 'non-special', 'host' => '[1:2::3]'],
 
@@ -100,6 +100,10 @@ public static function parse(string $url): ?array
                 return null;
             }
 
+            if (isset($parsedUrl['host']) && self::decodeUnreservedCharacters($parsedUrl['host']) !== $parsedUrl['host']) {
+                return null;
+            }
+
             return $parsedUrl;
         } catch (SyntaxError) {
             return null;
@@ -139,4 +143,16 @@ private static function matchAllowedHostParts(array $uriParts, array $trustedPar
 
         return true;
     }
+
+    /**
+     * Implementation borrowed from League\Uri\Encoder::decodeUnreservedCharacters().
+     */
+    private static function decodeUnreservedCharacters(string $host): string
+    {
+        return preg_replace_callback(
+            ',%(2[1-9A-Fa-f]|[3-7][0-9A-Fa-f]|61|62|64|65|66|7[AB]|5F),',
+            static fn (array $matches): string => rawurldecode($matches[0]),
+            $host
+        );
+    }
 }