Releases: thephpleague/commonmark
Releases · thephpleague/commonmark
2.6.0
This is a security release to address potential denial of service attacks when parsing specially crafted,
malicious input from untrusted sources (like user input). See GHSA-c2pc-g5qf-rfrf for more details.
Added
- Added
max_delimiters_per_line
config option to prevent denial of service attacks when parsing malicious input - Added
table/max_autocompleted_cells
config option to prevent denial of service attacks when parsing large tables - The
AttributesExtension
now supports attributes without values (#985, #986) - The
AutolinkExtension
exposes two new configuration options to override the default behavior (#969, #987):autolink/allowed_protocols
- an array of protocols to allow autolinking forautolink/default_protocol
- the default protocol to use when none is specified
- Added
RegexHelper::isWhitespace()
method to check if a given character is an ASCII whitespace character - Added
CacheableDelimiterProcessorInterface
to ensure linear complexity for dynamic delimiter processing - Added
Bracket
delimiter type to optimize bracket parsing
Changed
[
and]
are no longer added asDelimiter
objects on the stack; a newBracket
type with its own stack is used insteadUrlAutolinkParser
no longer parses URLs with more than 127 subdomains- Expanded reference links can no longer exceed 100kb, or the size of the input document (whichever is greater)
- Delimiters should always provide a non-null value via
DelimiterInterface::getIndex()
- We'll attempt to infer the index based on surrounding delimiters where possible
- The
DelimiterStack
now accepts integer positions for any$stackBottom
argument - Several small performance optimizations
2.5.3
Changed
- Made compatible with CommonMark spec 0.31.1, including:
- Remove
source
, addsearch
to list of recognized block tags
- Remove
Full Changelog: 2.5.2...2.5.3
2.5.2
Changed
- Boolean attributes now require an explicit
true
value (#1040)
Fixed
- Fixed regression where text could be misinterpreted as an attribute (#1040)
Full Changelog: 2.5.1...2.5.2
2.5.1
Fixed
- Fixed attribute parsing incorrectly parsing mustache-like syntax (#1035)
- Fixed incorrect
Table
start line numbers (#1037)
New Contributors
- @jasonvarga made their first contribution in #1035
Full Changelog: 2.5.0...2.5.1
2.5.0
Added
- The
AttributesExtension
now supports attributes without values (#985, #986) - The
AutolinkExtension
exposes two new configuration options to override the default behavior (#969, #987):autolink/allowed_protocols
- an array of protocols to allow autolinking forautolink/default_protocol
- the default protocol to use when none is specified
Changed
- Made compatible with CommonMark spec 0.31.0, including:
- Allow closing fence to be followed by tabs
- Remove restrictive limitation on inline comments
- Unicode symbols now treated like punctuation (for purposes of flankingness)
- Trailing tabs on the last line of indented code blocks will be excluded
- Improved HTML comment matching
Paragraph
s only containing link reference definitions will be kept in the AST until theDocument
is finalized- (These were previously removed immediately after parsing the
Paragraph
)
- (These were previously removed immediately after parsing the
Fixed
- Fixed list tightness not being determined properly in some edge cases
- Fixed incorrect ending line numbers for several block types in various scenarios
- Fixed lowercase inline HTML declarations not being accepted
New Contributors
- @svenluijten made their first contribution in #986
Full Changelog: 2.4.4...2.5.0
2.4.4
Fixed
- Fixed SmartPunct extension changing already-formatted quotation marks (#1030)
Full Changelog: 2.4.3...2.4.4
2.4.3
Fixed
- Fixed the Attributes extension not supporting CSS level 3 selectors (#1013)
- Fixed
UrlAutolinkParser
incorrectly parsing text containingwww
anywhere before an autolink (#1025)
New Contributors
- @nfreader made their first contribution in #1016
- @macbookandrew made their first contribution in #1025
- @xavierlacot made their first contribution in #1013
Full Changelog: 2.4.2...2.4.3
2.4.2
Fixed
- Fixed declaration parser being too strict
FencedCodeRenderer
: don't addlanguage-
to class if already prefixed
New Contributors
- @sergiy-petrov made their first contribution in #997
- @clustermin made their first contribution in #988
- @peter279k made their first contribution in #996
Full Changelog: 2.4.1...2.4.2
2.4.1
2.4.0
See the upgrading guide for more information about the exception-related changes
Added
- Added generic
CommonMarkException
marker interface for all exceptions thrown by the library - Added several new specific exception types implementing that marker interface:
AlreadyInitializedException
InvalidArgumentException
IOException
LogicException
MissingDependencyException
NoMatchingRendererException
ParserLogicException
- Added more configuration options to the Heading Permalinks extension (#939):
heading_permalink/apply_id_to_heading
- Whentrue
, theid
attribute will be applied to the heading element itself instead of the<a>
tagheading_permalink/heading_class
- class to apply to the heading elementheading_permalink/insert
- now acceptsnone
to prevent the creation of the<a>
link
- Added new
table/alignment_attributes
configuration option to control how table cell alignment is rendered (#959)
Changed
- Change several thrown exceptions from
RuntimeException
toLogicException
(or something extending it), including:CallbackGenerator
s that fail to set a URL or return an expected valueMarkdownParser
when deactivating the last block parser or attempting to get an active block parser when they've all been closed- Adding items to an already-initialized
Environment
- Rendering a
Node
when no renderer has been registered for it
HeadingPermalinkProcessor
now throwsInvalidConfigurationException
instead ofRuntimeException
when invalid config values are given.HtmlElement::setAttribute()
no longer requires the second parameter for boolean attributes- Several small micro-optimizations
- Changed Strikethrough to only allow 1 or 2 tildes per the updated GFM spec
Fixed
- Fixed inaccurate
@throws
docblocks throughout the codebase, includingConverterInterface
,MarkdownConverter
, andMarkdownConverterInterface
.- These previously suggested that only
\RuntimeException
s were thrown, which was inaccurate as\LogicException
s were also possible.
- These previously suggested that only