·
0 commits
to 2.5
since this release
2.6.0
colinodell
Colin O'Dell
This tag was signed with the committer’s verified signature.
colinodell
Colin O'Dell
d150f91
This commit was signed with the committer’s verified signature.
colinodell
Colin O'Dell
This is a security release to address potential denial of service attacks when parsing specially crafted,
malicious input from untrusted sources (like user input). See GHSA-c2pc-g5qf-rfrf for more details.
Added
- Added
max_delimiters_per_lineconfig option to prevent denial of service attacks when parsing malicious input - Added
table/max_autocompleted_cellsconfig option to prevent denial of service attacks when parsing large tables - The
AttributesExtensionnow supports attributes without values (#985, #986) - The
AutolinkExtensionexposes two new configuration options to override the default behavior (#969, #987):autolink/allowed_protocols- an array of protocols to allow autolinking forautolink/default_protocol- the default protocol to use when none is specified
- Added
RegexHelper::isWhitespace()method to check if a given character is an ASCII whitespace character - Added
CacheableDelimiterProcessorInterfaceto ensure linear complexity for dynamic delimiter processing - Added
Bracketdelimiter type to optimize bracket parsing
Changed
[and]are no longer added asDelimiterobjects on the stack; a newBrackettype with its own stack is used insteadUrlAutolinkParserno longer parses URLs with more than 127 subdomains- Expanded reference links can no longer exceed 100kb, or the size of the input document (whichever is greater)
- Delimiters should always provide a non-null value via
DelimiterInterface::getIndex()- We'll attempt to infer the index based on surrounding delimiters where possible
- The
DelimiterStacknow accepts integer positions for any$stackBottomargument - Several small performance optimizations