I've been writing validators/filter before, and my experience is that they are completely linked.
That's not two separate responsibilities that's one: any validation requires some normalization before.
Splitting normalization in a separate piece of code only forces doing the normalization twice: once for validation, twice for normalization (and duplicate the logic, which is a big hint for the SRP break).

My preference would be to make this clear and have validation return the normalized version of what is processed. There could be a strict mode, where input would have to be identical to the normalized version. The robustness principle tells us: be tolerant when parsing input, and strict in what you output.

So, implementing this RFC would be a design mistake for me, I'd better go with what I just described.

Developers should use the new types in their forms.

forms and validation are separate components; we should reason as such

I agree with @nicolas-grekas, being able to get the normalized value from validation sounds like a good feature addition. Then, strict validation is simply $inputValue === $normalizedValue

@ro0NL I get your point about forms and validation: maybe then the DataTransformers / normalizers should be part of another component at it is required by both of them.

@nicolas-grekas I agree with you about these points:

• I've been writing validators/filter before, and my experience is that they are completely linked.
• any validation requires some normalization before
• be tolerant when parsing input, and strict in what you output

I've done it too. But IMO it does not mean they have to be part of the same PHP class.
My point is that the validator should only focus on the validation part, while a normalizer should focus on the parsing/normalization part.

Besides, if both are mixed together that means you have to run validation to get a normalized value.
It looks like the job of a normalizer to me, and mixing both is overkill in case you want to normalize some data without validating it.

Lastly, I don't understand why splitting forces doing the normalization twice. It just implies that validation will be strict. You can still have robustness: just normalize your data before validation as it won't do it like it used to.

Right now we have inconsistencies in the validation that I would like to address in the best possible way:

• sogefrpp is an invalid BIC but fr1420041010050500013m02606 is a valid IBAN
• FR142004          1010050500013M02606 is a valid IBAN but sylvain       @assoconnect.com is not a valid email

And not being able to get the normalized value can then lead to this use-case:

1. The database is designed to accept up to 34 chars for an IBAN (as per the related current ISO standard)
2. A user submits a form with a space-padded IBAN
3. Validation says the IBAN is valid
4. The database rejects the INSERT statement because the value is too long

Now let's say we update validators to return the normalized value:

• How may it be used when validation is used on an object using annotations like on an entity or a DTO (I'm thinking about API Platform here)?
• Should the Form component use this returned normalized value to update the "normalized" format (used for internal processing as defined in the class comment of Symfony\Component\Form\Form)?

I'm asking to find a way to implement the way you are thinking about because it solves the issue too.

@nicolas-grekas I share the point of view of @fabpot
given here #30272 (comment)

A validator should only validate the official way.

According to this FR142004          1010050500013M02606 is an invalid IBAN and should be rejected by the validator.

i think, if a constraint's normalization logic is wrong, that's a bugfix per case.

overall, IIUC, the bigger picture and actual feature request is to obtain normalized data from validation, and let forms populate the underlying model as such. Correct?

@ro0NL duly noted for bug reports. So far, I haven't found any wrong constraint's normalization logic, but only discrepancies between two given validators about accepted values.

My bigger picture and actual feature request i:

• to get in the end normalized and strictly validated data
• a solution to keep using validation with annotation

I've mentioned the Form component here because I think it is a major use case for validation but I actually don't use it in my project so far. I only use validation through annotations on DTOs with API platform. And I expect my API to receive and accept only normalized data, that's why I'm thinking that normalization should not be part of validation.

Any help on this matter is welcome and we (devs in my company) can help on submitting PRs to fix the issue. Another alternative is to write and publish strict validators based on the Symfony ones but I don't like this idea.

I haven't found any wrong constraint's normalization logic, but only discrepancies between two given validators

that can be legit isnt it? given each constraint is bound to each own domain; so its specs may differ.

if i validate either FR142004 1010050500013M02606 or fr1420041010050500013m02606 at https://www.ibancalculator.com/ it's considered valid, and displayed normalized (other tools confirm as well).

so this needs to be verified per case still.

And I expect my API to receive and accept only normalized data

that's against the robustness principle :)

If we can get normalized values from validation, then we can proceed with e.g. normalize=true|false for constraint annotations and form field options. Constraints would return the normalized value y/n, whereas form would populate the model using the obtained normalized value y/n.

API Platform is out of scope and could implement a same technique when validating and de-serializing payloads.

All validators with a normalizer option should be updated too to remove this normalizer

why? Those are user-defined normalization rules, and out-of-scope as well :)

@ro0NL ok I'll study discrepancies more closely and I'll open dedicated issues if I think they are legit.

You're right about the robustness and my API. Actually, the real cause is that I don't know how to get the normalized data once API Platform has validated the payload. Your proposition would work, so I'll ask the API Platform about this point (we are starting a project with Les tilleuls so that could help!).

I was thinking that

All validators with a normalizer option should be updated too to remove this normalizer

because I had in mind that validators should not normalized. If the solution is to update validators to return normalized data, then this option is 100% legit.

How should we move forward? I'm not aware of the RFC process.
We can work on a PR to make validators return the normalized data.

I think we should start with the Validator component. Considering the IBAN constraint;

set the normalized value in the current context whereever the state is valid (e.g. after all violations): $this->context->setNormalizedValue($normalized) (edit: actually, i think we should always set it)

then obtain the normalized values in RecursiveContextualValidator. I think it's best to pass along to ConstraintViolationListInterface as it's the return value for end users, in both valid and invalid scenario. At this point e.g. ConstraintViolationListInterface::getNormalizedValues is a structure holding each validated property path.

To provide a consistent set of values, we should provide the input value whenever a constraint doesnt set a normalized value, to be able to gracefully upgrade per constraint.

Form component + API Platform can iterate each normalized property path, and set its (normalized) value using the property accessor.

Lastly, make everything conditional using normalize=true|false options. However, im not sure about such an option for constraints, as it breaks robustness principle. IMHO we only need to solve hydrating normalized values where needed (thus we only need to be able to obtain them, which simplifies things in general).

To pitch in this discussion on the idea of robustness: Isn't it the role of the Serializer (for an API, the Form component otherwise with the DataTransformers mentioned earlier) to manage this aspect as it is the interface with the end user?

In this case, it should be its responsibility to correctly map possible slightly invalid values to a canonical form. And after having passed the serialization, we should be able to rely on the fact that we have a normalized data (after all, that's why we have objects named Normalizers, no?).

Therefore, I really think that the normalization shouldn't be embedded in the validation process, but live on its own. Symfony has done a fabulous job at separating concerns and processes, I would be glad to help continuing on this road ! 🎉

@nicolas-grekas @ro0NL Any feedback on Tristan's last message?

Currently, validators can do what they want internally to simplify their implementation. But they cannot modify the validated value itself (well, for validators running on an object, they might mutate it if the object is mutable, but that's something unavoidable). To me, things should stay this way.

If your API expects to get normalized IBAN in the model, using normalizers in the Serializer component looks the way to go to me.

Thus, adding support for mutating the validated value in the Validator component would not be simple. The validation process traverses the data graph. Any mutation would have to be propagated up (and objects might not have setters, the Validator component does not require them).

Thank you for this suggestion.
There has not been a lot of activity here for a while. Would you still like to see this feature?

maybe the listed validators should have a canonicalize option to control whether the validators should canonicalize the value before validation or no (so whether they accept sloppy values or no). this would allow projects to choose either the strict behavior or the current one depending on their need

Thank you for this suggestion.
There has not been a lot of activity here for a while. Would you still like to see this feature?

@stof I like your idea about a canonicalize option.

Do you think it's doable to have a global setting for it? So it can be set up at the project level for all the codebase?

Thank you for this suggestion.
There has not been a lot of activity here for a while. Would you still like to see this feature?

Just a quick reminder to make a comment on this. If I don't hear anything I'll close this.

Hey,

I didn't hear anything so I'm going to close it. Feel free to comment if this is still relevant, I can always reopen!