bug #59525 [HtmlSanitizer] Fix access to undefined keys in UrlSanitizer (Antoine Beyet)

This PR was merged into the 6.4 branch.

Discussion
----------

[HtmlSanitizer] Fix access to undefined keys in UrlSanitizer

| Q             | A
| ------------- | ---
| Branch?       | 6.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Issues        | Fix #59524
| License       | MIT

This PR fixes the bug highlighted in #59524 and adds the unit test used to prove the error.

Commits
-------

c1d8c390042 [HtmlSanitizer] Avoid accessing non existent array key when checking for hosts validity

Author: nicolas-grekas

Diff for: Tests/TextSanitizer/UrlSanitizerTest.php

@@ -274,6 +274,15 @@ public static function provideSanitize(): iterable
             'expected' => null,
         ];
 
+        yield [
+            'input' => 'https://trusted.com/link.php',
+            'allowedSchemes' => ['http', 'https'],
+            'allowedHosts' => ['subdomain.trusted.com', 'trusted.com'],
+            'forceHttps' => false,
+            'allowRelative' => false,
+            'expected' => 'https://trusted.com/link.php',
+        ];
+
         // Allow relative
         yield [
             'input' => '/link.php',

Diff for: TextSanitizer/UrlSanitizer.php

@@ -132,7 +132,7 @@ private static function matchAllowedHostParts(array $uriParts, array $trustedPar
     {
         // Check each chunk of the domain is valid
         foreach ($trustedParts as $key => $trustedPart) {
-            if ($uriParts[$key] !== $trustedPart) {
+            if (!array_key_exists($key, $uriParts) || $uriParts[$key] !== $trustedPart) {
                 return false;
             }
         }