Changelog

All notable changes made in 2.x releases are shown below. See the full list of releases for the complete changelog.

2.7.1 - 2025-07-20

Notable Changes

Changed

• Optimized several regular expressions in RegexHelper to improve performance (#674, #1086)

Fixed

• EmbedProcessor no longer calls updateEmbeds() when there are no embeds to update (#1081)
• Fixed missing benchmark.php CSV path validation for non-existent files (#1068, #1085)

New Contributors

• @driesvints made their first contribution in https://github.com/thephpleague/commonmark/pull/1077
• @adielcristo made their first contribution in https://github.com/thephpleague/commonmark/pull/1079
• @Copilot made their first contribution in https://github.com/thephpleague/commonmark/pull/1085

Full Changelog: https://github.com/thephpleague/commonmark/compare/2.7.0…2.7.1

2.7.0 - 2025-05-05

This is a security release to address a potential cross-site scripting (XSS) vulnerability when using the AttributesExtension with untrusted user input.

Added

• Added attributes/allow config option to specify which attributes users are allowed to set on elements (default allows virtually all attributes)

Changed

• The AttributesExtension blocks all attributes starting with on unless explicitly allowed via the attributes/allow config option
• The allow_unsafe_links option is now respected by the AttributesExtension when users specify href and src attributes

Older Versions

Please see the full list of releases for the complete changelog.

Edit this page