github erusev/parsedown 1.8.0
on GitHub

6 hours ago

The first stable release in over six years. Requires PHP 7.1+.

Breaking Changes

  • PHP 7.1 minimum -- dropped support for PHP 5.3, 5.4, 5.5, 5.6, and 7.0.
  • List separation by marker type -- lists using different markers (*, +, -, or switching between . and ) for ordered lists) are now treated as separate lists, matching the CommonMark spec.
  • Lazy blockquotes -- consecutive blockquotes separated by a blank line are no longer merged into one, per CommonMark.
  • Sparse HTML blocks -- blank lines inside block-level HTML are now wrapped in <p> tags instead of being preserved as-is.
  • Empty ATX headings -- # and ## on their own now produce <h1></h1> and <h2></h2> instead of being treated as paragraphs.
  • Extensions accessing block internals may need to update: the element structure uses element instead of text in some places (e.g. $Block['element']['element']['text'] instead of $Block['element']['text']['text']).

Security

  • Regex patterns throughout the parser now use possessive quantifiers (*+, ++) to prevent catastrophic backtracking (ReDoS). This addresses denial-of-service vectors where malformed emphasis markers or other adversarial input could cause memory exhaustion or hangs.
  • Safe mode now sanitizes nested elements correctly via recursive AST traversal. Previously, sanitization only applied at the top level.
  • Extensions can mark self-produced HTML as trusted using allowRawHtmlInSafeMode so it isn't escaped in safe mode, while untrusted input remains escaped.

PHP Compatibility

  • Fixed implicit nullable parameter deprecations for PHP 8.4+.
  • Updated PHPUnit dependency and test infrastructure for modern PHP.
  • CI moved from Travis CI to GitHub Actions.

CommonMark Compliance

  • Setext headings now handle leading/trailing spaces correctly.
  • ATX heading closing # sequences are trimmed properly (e.g. # # of levels # # renders as <h1># of levels #</h1>).
  • Ordered lists support ) as a marker in addition to ..
  • Ordered lists starting with a number other than 1 no longer interrupt paragraphs.
  • One-column tables are now supported.
  • Fenced code blocks require the closing fence to have at least as many backticks/tildes as the opening fence.
  • HTML comments follow the CommonMark spec more closely.
  • Email autolinks validate against the CommonMark email definition.
  • Escaped tilde characters (\~\~) are no longer treated as strikethrough.

New Features

  • Strict mode (setStrictMode(true)) -- requires a space after # in ATX headings (CommonMark-compliant behavior).

Bug Fixes

  • Fixed "Uninitialized string offset" errors on certain inputs.
  • Fixed adjacent blockquotes being incorrectly merged.
  • Fixed line-break standardization when using the line() method directly.
  • Fixed table header validation (headers containing newlines are no longer accepted).
  • Fixed spaces in fenced code block class names.
Check out latest releases or
releases around erusev/parsedown 1.8.0

Don't miss a new parsedown release

NewReleases is sending notifications on new releases.

Get notifications