Skip to content

Releases: thephpleague/commonmark

2.6.0

07 Dec 15:36
2.6.0
d150f91
Compare
Choose a tag to compare

This is a security release to address potential denial of service attacks when parsing specially crafted,
malicious input from untrusted sources (like user input). See GHSA-c2pc-g5qf-rfrf for more details.

Added

  • Added max_delimiters_per_line config option to prevent denial of service attacks when parsing malicious input
  • Added table/max_autocompleted_cells config option to prevent denial of service attacks when parsing large tables
  • The AttributesExtension now supports attributes without values (#985, #986)
  • The AutolinkExtension exposes two new configuration options to override the default behavior (#969, #987):
    • autolink/allowed_protocols - an array of protocols to allow autolinking for
    • autolink/default_protocol - the default protocol to use when none is specified
  • Added RegexHelper::isWhitespace() method to check if a given character is an ASCII whitespace character
  • Added CacheableDelimiterProcessorInterface to ensure linear complexity for dynamic delimiter processing
  • Added Bracket delimiter type to optimize bracket parsing

Changed

  • [ and ] are no longer added as Delimiter objects on the stack; a new Bracket type with its own stack is used instead
  • UrlAutolinkParser no longer parses URLs with more than 127 subdomains
  • Expanded reference links can no longer exceed 100kb, or the size of the input document (whichever is greater)
  • Delimiters should always provide a non-null value via DelimiterInterface::getIndex()
    • We'll attempt to infer the index based on surrounding delimiters where possible
  • The DelimiterStack now accepts integer positions for any $stackBottom argument
  • Several small performance optimizations

2.5.3

16 Aug 11:47
2.5.3
b650144
Compare
Choose a tag to compare

Changed

  • Made compatible with CommonMark spec 0.31.1, including:
    • Remove source, add search to list of recognized block tags

Full Changelog: 2.5.2...2.5.3

2.5.2

14 Aug 10:58
2.5.2
df09d5b
Compare
Choose a tag to compare

Changed

  • Boolean attributes now require an explicit true value (#1040)

Fixed

  • Fixed regression where text could be misinterpreted as an attribute (#1040)

Full Changelog: 2.5.1...2.5.2

2.5.1

24 Jul 12:52
2.5.1
ac81592
Compare
Choose a tag to compare

Fixed

  • Fixed attribute parsing incorrectly parsing mustache-like syntax (#1035)
  • Fixed incorrect Table start line numbers (#1037)

New Contributors

Full Changelog: 2.5.0...2.5.1

2.5.0

22 Jul 18:24
2.5.0
0026475
Compare
Choose a tag to compare

Added

  • The AttributesExtension now supports attributes without values (#985, #986)
  • The AutolinkExtension exposes two new configuration options to override the default behavior (#969, #987):
    • autolink/allowed_protocols - an array of protocols to allow autolinking for
    • autolink/default_protocol - the default protocol to use when none is specified

Changed

  • Made compatible with CommonMark spec 0.31.0, including:
    • Allow closing fence to be followed by tabs
    • Remove restrictive limitation on inline comments
    • Unicode symbols now treated like punctuation (for purposes of flankingness)
    • Trailing tabs on the last line of indented code blocks will be excluded
    • Improved HTML comment matching
  • Paragraphs only containing link reference definitions will be kept in the AST until the Document is finalized
    • (These were previously removed immediately after parsing the Paragraph)

Fixed

  • Fixed list tightness not being determined properly in some edge cases
  • Fixed incorrect ending line numbers for several block types in various scenarios
  • Fixed lowercase inline HTML declarations not being accepted

New Contributors

Full Changelog: 2.4.4...2.5.0

2.4.4

22 Jul 17:12
2.4.4
50bd4dc
Compare
Choose a tag to compare

Fixed

  • Fixed SmartPunct extension changing already-formatted quotation marks (#1030)

Full Changelog: 2.4.3...2.4.4

2.4.3

22 Jul 12:33
2.4.3
b7a7af3
Compare
Choose a tag to compare

Fixed

  • Fixed the Attributes extension not supporting CSS level 3 selectors (#1013)
  • Fixed UrlAutolinkParser incorrectly parsing text containing www anywhere before an autolink (#1025)

New Contributors

Full Changelog: 2.4.2...2.4.3

2.4.2

02 Feb 12:01
2.4.2
91c2429
Compare
Choose a tag to compare

Fixed

  • Fixed declaration parser being too strict
  • FencedCodeRenderer: don't add language- to class if already prefixed

New Contributors

Full Changelog: 2.4.1...2.4.2

2.4.1

30 Aug 16:57
2.4.1
3669d6d
Compare
Choose a tag to compare

Fixed

  • Fixed ExternalLinkProcessor not fully disabling the rel attribute when configured to do so (#992)

2.4.0

24 Mar 15:23
2.4.0
d44a246
Compare
Choose a tag to compare

See the upgrading guide for more information about the exception-related changes

Added

  • Added generic CommonMarkException marker interface for all exceptions thrown by the library
  • Added several new specific exception types implementing that marker interface:
    • AlreadyInitializedException
    • InvalidArgumentException
    • IOException
    • LogicException
    • MissingDependencyException
    • NoMatchingRendererException
    • ParserLogicException
  • Added more configuration options to the Heading Permalinks extension (#939):
    • heading_permalink/apply_id_to_heading - When true, the id attribute will be applied to the heading element itself instead of the <a> tag
    • heading_permalink/heading_class - class to apply to the heading element
    • heading_permalink/insert - now accepts none to prevent the creation of the <a> link
  • Added new table/alignment_attributes configuration option to control how table cell alignment is rendered (#959)

Changed

  • Change several thrown exceptions from RuntimeException to LogicException (or something extending it), including:
    • CallbackGenerators that fail to set a URL or return an expected value
    • MarkdownParser when deactivating the last block parser or attempting to get an active block parser when they've all been closed
    • Adding items to an already-initialized Environment
    • Rendering a Node when no renderer has been registered for it
  • HeadingPermalinkProcessor now throws InvalidConfigurationException instead of RuntimeException when invalid config values are given.
  • HtmlElement::setAttribute() no longer requires the second parameter for boolean attributes
  • Several small micro-optimizations
  • Changed Strikethrough to only allow 1 or 2 tildes per the updated GFM spec

Fixed

  • Fixed inaccurate @throws docblocks throughout the codebase, including ConverterInterface, MarkdownConverter, and MarkdownConverterInterface.
    • These previously suggested that only \RuntimeExceptions were thrown, which was inaccurate as \LogicExceptions were also possible.