This is a security release to address potential denial of service attacks when parsing specially crafted,
malicious input from untrusted sources (like user input). See GHSA-c2pc-g5qf-rfrf for more details.
Added
- Added
max_delimiters_per_lineconfig option to prevent denial of service attacks when parsing malicious input - Added
table/max_autocompleted_cellsconfig option to prevent denial of service attacks when parsing large tables - The
AttributesExtensionnow supports attributes without values (#985, #986) - The
AutolinkExtensionexposes two new configuration options to override the default behavior (#969, #987):autolink/allowed_protocols- an array of protocols to allow autolinking forautolink/default_protocol- the default protocol to use when none is specified
- Added
RegexHelper::isWhitespace()method to check if a given character is an ASCII whitespace character - Added
CacheableDelimiterProcessorInterfaceto ensure linear complexity for dynamic delimiter processing - Added
Bracketdelimiter type to optimize bracket parsing
Changed
[and]are no longer added asDelimiterobjects on the stack; a newBrackettype with its own stack is used insteadUrlAutolinkParserno longer parses URLs with more than 127 subdomains- Expanded reference links can no longer exceed 100kb, or the size of the input document (whichever is greater)
- Delimiters should always provide a non-null value via
DelimiterInterface::getIndex()- We'll attempt to infer the index based on surrounding delimiters where possible
- The
DelimiterStacknow accepts integer positions for any$stackBottomargument - Several small performance optimizations