2.6.1

Fixed

• Rendered list items should only add newlines around block-level children (#1059, #1061)

Full Changelog: 2.6.0...2.6.1

2.6.0

This is a security release to address potential denial of service attacks when parsing specially crafted,
malicious input from untrusted sources (like user input). See GHSA-c2pc-g5qf-rfrf for more details.

Added

• Added max_delimiters_per_line config option to prevent denial of service attacks when parsing malicious input
• Added table/max_autocompleted_cells config option to prevent denial of service attacks when parsing large tables
• The AttributesExtension now supports attributes without values (#985, #986)
• The AutolinkExtension exposes two new configuration options to override the default behavior (#969, #987):
  • autolink/allowed_protocols - an array of protocols to allow autolinking for
  • autolink/default_protocol - the default protocol to use when none is specified
• Added RegexHelper::isWhitespace() method to check if a given character is an ASCII whitespace character
• Added CacheableDelimiterProcessorInterface to ensure linear complexity for dynamic delimiter processing
• Added Bracket delimiter type to optimize bracket parsing

Changed

• [ and ] are no longer added as Delimiter objects on the stack; a new Bracket type with its own stack is used instead
• UrlAutolinkParser no longer parses URLs with more than 127 subdomains
• Expanded reference links can no longer exceed 100kb, or the size of the input document (whichever is greater)
• Delimiters should always provide a non-null value via DelimiterInterface::getIndex()
  • We'll attempt to infer the index based on surrounding delimiters where possible
• The DelimiterStack now accepts integer positions for any $stackBottom argument
• Several small performance optimizations

2.5.3

Changed

• Made compatible with CommonMark spec 0.31.1, including:
  • Remove source, add search to list of recognized block tags

Full Changelog: 2.5.2...2.5.3

2.5.2

Changed

• Boolean attributes now require an explicit true value (#1040)

Fixed

• Fixed regression where text could be misinterpreted as an attribute (#1040)

---

Full Changelog: 2.5.1...2.5.2

2.5.1

Fixed

• Fixed attribute parsing incorrectly parsing mustache-like syntax (#1035)
• Fixed incorrect Table start line numbers (#1037)

New Contributors

• @jasonvarga made their first contribution in #1035

Full Changelog: 2.5.0...2.5.1

2.5.0

Added

• The AttributesExtension now supports attributes without values (#985, #986)
• The AutolinkExtension exposes two new configuration options to override the default behavior (#969, #987):
  • autolink/allowed_protocols - an array of protocols to allow autolinking for
  • autolink/default_protocol - the default protocol to use when none is specified

Changed

• Made compatible with CommonMark spec 0.31.0, including:
  • Allow closing fence to be followed by tabs
  • Remove restrictive limitation on inline comments
  • Unicode symbols now treated like punctuation (for purposes of flankingness)
  • Trailing tabs on the last line of indented code blocks will be excluded
  • Improved HTML comment matching
• Paragraphs only containing link reference definitions will be kept in the AST until the Document is finalized
  • (These were previously removed immediately after parsing the Paragraph)

Fixed

• Fixed list tightness not being determined properly in some edge cases
• Fixed incorrect ending line numbers for several block types in various scenarios
• Fixed lowercase inline HTML declarations not being accepted

New Contributors

• @svenluijten made their first contribution in #986

Full Changelog: 2.4.4...2.5.0

2.4.4

Fixed

• Fixed SmartPunct extension changing already-formatted quotation marks (#1030)

Full Changelog: 2.4.3...2.4.4

2.4.3

Fixed

• Fixed the Attributes extension not supporting CSS level 3 selectors (#1013)
• Fixed UrlAutolinkParser incorrectly parsing text containing www anywhere before an autolink (#1025)

New Contributors

• @nfreader made their first contribution in #1016
• @macbookandrew made their first contribution in #1025
• @xavierlacot made their first contribution in #1013

Full Changelog: 2.4.2...2.4.3

2.4.2

Fixed

• Fixed declaration parser being too strict
• FencedCodeRenderer: don't add language- to class if already prefixed

New Contributors

• @sergiy-petrov made their first contribution in #997
• @clustermin made their first contribution in #988
• @peter279k made their first contribution in #996

Full Changelog: 2.4.1...2.4.2

2.4.1

Fixed

• Fixed ExternalLinkProcessor not fully disabling the rel attribute when configured to do so (#992)