This is the documentation for version 2.6. Please consider upgrading your code to the latest stable version
Changelog
All notable changes made in 2.x releases are shown below. See the full list of releases for the complete changelog.
2.7.1 - 2025-07-20
Notable Changes
Changed
- Optimized several regular expressions in
RegexHelperto improve performance (#674, #1086)
Fixed
EmbedProcessorno longer callsupdateEmbeds()when there are no embeds to update (#1081)- Fixed missing
benchmark.phpCSV path validation for non-existent files (#1068, #1085)
New Contributors
- @driesvints made their first contribution in https://github.com/thephpleague/commonmark/pull/1077
- @adielcristo made their first contribution in https://github.com/thephpleague/commonmark/pull/1079
- @Copilot made their first contribution in https://github.com/thephpleague/commonmark/pull/1085
Full Changelog: https://github.com/thephpleague/commonmark/compare/2.7.0…2.7.1
2.7.0 - 2025-05-05
This is a security release to address a potential cross-site scripting (XSS) vulnerability when using the AttributesExtension with untrusted user input.
Added
- Added
attributes/allowconfig option to specify which attributes users are allowed to set on elements (default allows virtually all attributes)
Changed
- The
AttributesExtensionblocks all attributes starting withonunless explicitly allowed via theattributes/allowconfig option - The
allow_unsafe_linksoption is now respected by theAttributesExtensionwhen users specifyhrefandsrcattributes
2.6.2 - 2025-04-18
Fixed
- Fixed Attributes extension parsing regression (#1071)
Other Changes
- fix incorrect interface in docs v2.6 by @CharrafiMed in https://github.com/thephpleague/commonmark/pull/1063
- docs/2.6/extensions/front-matter.md: add missing newline by @DanielEScherzer in https://github.com/thephpleague/commonmark/pull/1069
New Contributors
- @CharrafiMed made their first contribution in https://github.com/thephpleague/commonmark/pull/1063
- @DanielEScherzer made their first contribution in https://github.com/thephpleague/commonmark/pull/1069
Full Changelog: https://github.com/thephpleague/commonmark/compare/2.6.1…2.6.2
2.6.1 - 2024-12-29
Fixed
- Rendered list items should only add newlines around block-level children (#1059, #1061)
Full Changelog: https://github.com/thephpleague/commonmark/compare/2.6.0…2.6.1
2.6.0 - 2024-12-07
This is a security release to address potential denial of service attacks when parsing specially crafted, malicious input from untrusted sources (like user input). See https://github.com/thephpleague/commonmark/security/advisories/GHSA-c2pc-g5qf-rfrf for more details.
Added
- Added
max_delimiters_per_lineconfig option to prevent denial of service attacks when parsing malicious input - Added
table/max_autocompleted_cellsconfig option to prevent denial of service attacks when parsing large tables - The
AttributesExtensionnow supports attributes without values (#985, #986) - The
AutolinkExtensionexposes two new configuration options to override the default behavior (#969, #987):autolink/allowed_protocols- an array of protocols to allow autolinking forautolink/default_protocol- the default protocol to use when none is specified
- Added
RegexHelper::isWhitespace()method to check if a given character is an ASCII whitespace character - Added
CacheableDelimiterProcessorInterfaceto ensure linear complexity for dynamic delimiter processing - Added
Bracketdelimiter type to optimize bracket parsing
Changed
[and]are no longer added asDelimiterobjects on the stack; a newBrackettype with its own stack is used insteadUrlAutolinkParserno longer parses URLs with more than 127 subdomains- Expanded reference links can no longer exceed 100kb, or the size of the input document (whichever is greater)
- Delimiters should always provide a non-null value via
DelimiterInterface::getIndex()- We’ll attempt to infer the index based on surrounding delimiters where possible
- The
DelimiterStacknow accepts integer positions for any$stackBottomargument - Several small performance optimizations
Older Versions
Please see the full list of releases for the complete changelog.