commonmark

This release contains an important security update for CVE-2018-20583.

Fixed

• Fix XSS vulnerability caused by URL normalization not handling/encoding newlines properly (#337, CVE-2018-20583)

No breaking changes were introduced, but we did add a new interface: ConverterInterface. Consider depending on this interface in your code instead of the concrete implementation. (See #330)

Added

• Added ConverterInterface to Converter and CommonMarkConverter (#330)
• Added ListItem::getListData() method (#329)

Changed

• Links with target="_blank" will also get rel="noopener noreferrer" by default (#331)
• Implemented several performance optimizations (#324)

Fixed

• Fixed incorrect version constant value (again)
• Fixed release checklist to prevent the above from happening
• Fixed incorrect dates in CHANGELOG

Added

• Added ListBlock::setTight() method

Fixed

• Fixed incorrect version constant value (#322)

Added

• Added new RegexHelper::isEscapable() method

Fixed

• Fixed spec compliance bug where escaped spaces should not be allowed in link destinations

Added

• Added a new constant containing the current version: CommonMarkConverter::VERSION (#314)

This release contains several breaking changes and a minimum PHP version bump - see UPGRADE.md for more details.

Added

• Added new max_nesting_level setting (#243)
• Added minor performance optimizations to Cursor

Changed

• Minimum PHP version is now 5.6.5.
• All full and partial regular expressions in RegexHelper are now defined as constants instead of being built on-the-fly.
• Cursor::saveState() now returns an array instead of a CursorState object.
• Cursor::restoreState() now accepts an array parameter instead of a CursorState object.
• Saving/restoring the Cursor state no longer tracks things that don't change (like the text content).
• RegexHelper is now final.
• References to InlineContainer changed to new InlineContainerInterface interface.
• MiscExtension::addInlineParser() and MiscExtension::addBlockRenderer() now return $this instead of nothing.

Fixed

• Fixed Reference::normalizeReference() not properly collapsing whitespace to a single space

Deprecated

• RegexHelper::getInstance() and all instance (non-static) methods have been deprecated.
• The InlineContainer interface has been deprecated. Use InlineContainerInterface instead.

Removed

• Removed support for PHP 5.4 and 5.5.
• Removed CursorState class
• Removed all previous deprecations:
  • Cursor::getFirstNonSpacePosition()
  • Cursor::getFirstNonSpaceCharacter()
  • Cursor::advanceWhileMatches()
  • Cursor::advanceToFirstNonSpace()
  • ElementRendererInterface::escape()
  • HtmlRenderer::escape()
  • RegexHelper::REGEX_UNICODE_WHITESPACE
  • RegexHelper::getLinkDestinationRegex()

This release contains breaking changes, several performance improvements, and two deprecations:

Added

• Added new Xml utility class; moved HTML/XML escaping logic into there (see deprecations below)

Changed

• Environment::getInlineParsersForCharacter() now returns an empty array (instead of null) when no matching parsers are found
• Three utility classes are now marked final:
  • Html5Entities
  • LinkParserHelper
  • UrlEncoder

Fixed

• Improved performance of several methods (for a 10% overall performance boost - #292)

Deprecated

The following methods were deprecated and are scheduled for removal in 0.17.0 or 1.0.0 (whichever comes first). See UPGRADE.md for more information.

• Cursor::advanceWhileMatches() deprecated; use Cursor::match() instead.
• HtmlRenderer::escape() deprecated; use Xml::escape() instead.

Removed

• Removed DelimiterStack::findFirstMatchingOpener() which was previously deprecated in 0.15.0

Fixed

• Improved performance of Cursor::advanceBy() (for a 16% performance boost!) 🎉

Fixed

• Fixed URI normalization not properly encoding/decoding special characters in certain cases (#287)

This release bumps spec compliance to 0.28 without breaking changes to the API.

Added

• Project is now tested against PHP 7.2

Changed

• Bumped CommonMark spec target to 0.28
• Changed internal implementation of LinkParserHelper::parseLinkDestination() to allow nested parens
• Changed precedence of strong/emph when both nestings are possible (rule 14)
• Allow tabs before and after ATX closing header

Fixed

• Fixed HTML type 6 block regex matching against <pre> (it shouldn't) and not matching <iframe> (it should)
• Fixed reference parser incorrectly handling escaped ] characters
• Fixed "multiple of 3" delimiter run calculations

Deprecated

An unused constant and static method were deprecated and will be removed in a future release. See <UPGRADE.md> for more information.

• Deprecated RegexHelper::REGEX_UNICODE_WHITESPACE (no longer used)
• Deprecated RegexHelper::getLinkDestinationRegex() (no longer used)

Added

• Added new methods to Cursor (#280):
  • advanceToNextNonSpaceOrNewline() - Identical replacement for the (now-deprecated) advanceToFirstNonSpace() method
  • advanceToNextNonSpaceOrTab() - Similar replacement for advanceToFirstNonSpace() but with proper tab handling
  • getNextNonSpaceCharacter() - Identical replacement for the (now-deprecated) getFirstNonSpaceCharacter() method
  • getNextNonSpacePosition() - Identical replacement for the (now-deprecated) getFirstNonSpacePosition() method
• Added new method to CursorState (#280):
  • getNextNonSpaceCache() - Identical replacement for the (now-deprecated) getFirstNonSpaceCache() method

Fixed

• Fixed duplicate characters in non-intended lines containing tabs (#279)

Deprecated

All deprecations listed here will be removed in a future 0.x release. See UPGRADE.md for instructions on preparing your code for the eventual removal of these methods.

• Deprecated Cursor::advanceToFirstNonSpace() (#280)
  • Use advanceToNextNonSpaceOrTab() or advanceToNextNonSpaceOrNewline() instead, depending on your requirements
• Deprecated Cursor::getFirstNonSpaceCharacter() (#280)
  • Use Cursor::getNextNonSpaceCharacter() instead
• Deprecated Cursor::getFirstNonSpacePosition() (#280)
  • Use Cursor::getNextNonSpacePosition() instead
• Deprecated CursorState::getFirstNonSpaceCache() (#280)
  • Use CursorState::getNextNonSpaceCache() instead

Fixed

• Allow inline parsers matching regex delimiter to be created (#271, #272)

Changed

• Bumped spec target version to 0.27 (#268)
• H2-H6 elements are now parsed as HTML block elements instead of HTML inlines

Fixed

• Fixed incomplete punctuation regex
• Fixed shortcut links not being allowed before a (
• Fixed distinction between Unicode whitespace and regular whitespace

Fixed

• Fixed setext heading underlines not allowing trailing tabs (#266)

Added

• Added preliminary support for PHP 7.1 (#259)
• Added more regression tests (#258, #260)

Changed

• Bumped spec target version to 0.26 (#260)
• The CursorState constructor requires an additional parameter (#258)
• Ordered lists cannot interupt a paragraph unless they start with 1 (#260)
• Blank list items cannot interupt a paragraph (#260)

Deprecated

• Deprecated DelimiterStack::findFirstMatchingOpener() - use findMatchingOpener() instead (#260)

Fixed

• Fixed tabs in ATX headers and thematic breaks (#260)
• Fixed issue where cursor state was not being restored properly (#258, #260)
  • This fixed the lists-with-tabs regression reported in #258

Removed

• Removed an unnecessary check in Cursor::advanceBy() (#260)
• Removed the two-blanks-break-out-of-lists feature (#260)

Added

• The safe option is deprecated and replaced by 2 new options (#253, #255):
  • html_input (strip, allow or escape): how to handle untrusted HTML input (the default is strip for BC reasons)
  • allow_unsafe_links (true or false): whether to allow risky image URLs and links (the default is true for BC reasons)

Deprecated

• The safe option is now deprecated and will be removed in the 1.0.0 release.

Fixed

• Fixed path to autoload.php within bin/commonmark (#250)

Added

• Added setUrl() method for Link and Image elements (#227, #244)
• Added cebe/markdown to the benchmark tool (#245)