This is a security release to address potential denial of service attacks when parsing specially crafted,
malicious input from untrusted sources (like user input). See GHSA-c2pc-g5qf-rfrf for more details.
Added
- Added
max_delimiters_per_line
config option to prevent denial of service attacks when parsing malicious input - Added
table/max_autocompleted_cells
config option to prevent denial of service attacks when parsing large tables - The
AttributesExtension
now supports attributes without values (#985, #986) - The
AutolinkExtension
exposes two new configuration options to override the default behavior (#969, #987):autolink/allowed_protocols
- an array of protocols to allow autolinking forautolink/default_protocol
- the default protocol to use when none is specified
- Added
RegexHelper::isWhitespace()
method to check if a given character is an ASCII whitespace character - Added
CacheableDelimiterProcessorInterface
to ensure linear complexity for dynamic delimiter processing - Added
Bracket
delimiter type to optimize bracket parsing
Changed
[
and]
are no longer added asDelimiter
objects on the stack; a newBracket
type with its own stack is used insteadUrlAutolinkParser
no longer parses URLs with more than 127 subdomains- Expanded reference links can no longer exceed 100kb, or the size of the input document (whichever is greater)
- Delimiters should always provide a non-null value via
DelimiterInterface::getIndex()
- We'll attempt to infer the index based on surrounding delimiters where possible
- The
DelimiterStack
now accepts integer positions for any$stackBottom
argument - Several small performance optimizations