[Security] Bump league/commonmark from 2.4.2 to 2.7.1

Bumps league/commonmark from 2.4.2 to 2.7.1. This update includes security fixes.

Vulnerabilities fixed

league/commonmark's quadratic complexity bugs may lead to a denial of service

Impact

Several polynomial time complexity issues in league/commonmark may lead to unbounded resource exhaustion and subsequent denial of service.

Malicious users could trigger that inefficient code with carefully crafted Markdown inputs that are specifically designed to ensure the worst-case performance is reached. Sending multiple such requests in parallel could tie up all available CPU resources and/or PHP-FPM processes, leading to denial of service for legitimate users.

Patches

These vulnerabilities have been patched in version 2.6.0. All users on older versions are highly encouraged to upgrade as soon as possible.

Workarounds

If you cannot upgrade, you may be able to mitigate the issues by:

• Setting very low memory_limit and max_execution_time PHP configurations to prevent runaway resource usage
• Implementing rate-limiting, bot protection, or other approaches to reduce the risk of simultaneous bad requests hitting your site
• Limiting the size of inputs fed into this library (specifically the max length of each line)
• Limiting the use of this library to trusted users

References

... (truncated)

Patched versions: 2.6.0 Affected versions: < 2.6.0

league/commonmark contains a XSS vulnerability in Attributes extension

Summary

Cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML.

Details

The league/commonmark library provides configuration options such as html_input: 'strip' and allow_unsafe_links: false to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces.

As a result, even with the secure configuration shown above, an attacker can inject dangerous attributes into applications using this extension via a payload such as:

![](){onerror=alert(1)}

Which results in the following HTML:

<p><img onerror="alert(1)" src="" alt="" /></p>

Which causes the JS to execute immediately on page load.

... (truncated)

Patched versions: 2.7.0 Affected versions: < 2.7.0

Release notes

Sourced from league/commonmark's releases.

2.7.1

Notable Changes

Changed

• Optimized several regular expressions in RegexHelper to improve performance (#674, #1086)

Fixed

• EmbedProcessor no longer calls updateEmbeds() when there are no embeds to update (#1081)
• Fixed missing benchmark.php CSV path validation for non-existent files (#1068, #1085)

New Contributors

• @​driesvints made their first contribution in thephpleague/commonmark#1077
• @​adielcristo made their first contribution in thephpleague/commonmark#1079
• @​Copilot made their first contribution in thephpleague/commonmark#1085

Full Changelog: https://github.com/thephpleague/commonmark/compare/2.7.0...2.7.1

2.7.0

This is a security release to address a potential cross-site scripting (XSS) vulnerability when using the AttributesExtension with untrusted user input.

Added

• Added attributes/allow config option to specify which attributes users are allowed to set on elements (default allows virtually all attributes)

Changed

• The AttributesExtension blocks all attributes starting with on unless explicitly allowed via the attributes/allow config option
• The allow_unsafe_links option is now respected by the AttributesExtension when users specify href and src attributes

2.6.2

Fixed

• Fixed Attributes extension parsing regression (#1071)

Other Changes

• fix incorrect interface in docs v2.6 by @​CharrafiMed in thephpleague/commonmark#1063
• docs/2.6/extensions/front-matter.md: add missing newline by @​DanielEScherzer in thephpleague/commonmark#1069

New Contributors

• @​CharrafiMed made their first contribution in thephpleague/commonmark#1063
• @​DanielEScherzer made their first contribution in thephpleague/commonmark#1069

Full Changelog: https://github.com/thephpleague/commonmark/compare/2.6.1...2.6.2

2.6.1

Fixed

• Rendered list items should only add newlines around block-level children (#1059, #1061)

Full Changelog: https://github.com/thephpleague/commonmark/compare/2.6.0...2.6.1

2.6.0

... (truncated)

Changelog

Sourced from league/commonmark's changelog.

[2.7.1] - 2025-07-20

Changed

• Optimized several regular expressions in RegexHelper to improve performance (#674, #1086)

Fixed

• EmbedProcessor no longer calls updateEmbeds() when there are no embeds to update (#1081)
• Fixed missing benchmark.php CSV path validation for non-existent files (#1068, #1085)

[2.7.0] - 2025-05-05

This is a security release to address a potential cross-site scripting (XSS) vulnerability when using the AttributesExtension with untrusted user input.

Added

• Added attributes/allow config option to specify which attributes users are allowed to set on elements (default allows virtually all attributes)

Changed

• The AttributesExtension blocks all attributes starting with on unless explicitly allowed via the attributes/allow config option
• The allow_unsafe_links option is now respected by the AttributesExtension when users specify href and src attributes

[2.6.2] - 2025-04-18

Fixed

• Fixed Attributes extension parsing regression (#1071)

[2.6.1] - 2024-12-29

Fixed

• Rendered list items should only add newlines around block-level children (#1059, #1061)

[2.6.0] - 2024-12-07

This is a security release to address potential denial of service attacks when parsing specially crafted, malicious input from untrusted sources (like user input).

Added

• Added max_delimiters_per_line config option to prevent denial of service attacks when parsing malicious input
• Added table/max_autocompleted_cells config option to prevent denial of service attacks when parsing large tables
• The AttributesExtension now supports attributes without values (#985, #986)
• The AutolinkExtension exposes two new configuration options to override the default behavior (#969, #987):
  • autolink/allowed_protocols - an array of protocols to allow autolinking for
  • autolink/default_protocol - the default protocol to use when none is specified
• Added RegexHelper::isWhitespace() method to check if a given character is an ASCII whitespace character
• Added CacheableDelimiterProcessorInterface to ensure linear complexity for dynamic delimiter processing
• Added Bracket delimiter type to optimize bracket parsing

Changed

... (truncated)

Commits

• 1073224 Prepare to release 2.7.1
• 00f2f51 Merge pull request #1086 from thephpleague/regex-optimizations
• 0f8e8af Optimize HTML Block Type 6 pattern with possessive quantifiers
• badbf6c Add possessive quantifiers to HTML tag patterns to prevent backtracking
• cc6e900 Optimize PARTIAL_HTMLCOMMENT with better grouping
• 142edc4 Add atomic group to PARTIAL_ENTITY to prevent backtracking
• 26c0a98 Optimize REGEX_THEMATIC_BREAK by consolidating anchors
• 727f5fa Optimize REGEX_PUNCTUATION by removing redundant explicit characters
• 37d451e Merge pull request #1085 from thephpleague/copilot/fix-1068
• b8ba8fa Fix benchmark.php CSV path validation for non-existent files
• Additional commits viewable in compare view