[continued from previous message]

│ │ │ +-rw-r--r-- 0 root (0) root (0) 1158 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Reference/Reference.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 623 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Reference/ReferenceInterface.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 2022 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Reference/ReferenceMap.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 787 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Reference/ReferenceMapInterface.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 9238 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Reference/ReferenceParser.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 405 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Reference/ReferenceableInterface.php
│ │ │ +drwxr-xr-x 0 root (0) root (0) 0 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/
│ │ │ +drwxr-xr-x 0 root (0) root (0) 0 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/Block/
│ │ │ +-rw-r--r-- 0 root (0) root (0) 1467 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/Block/DocumentRenderer.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 1978 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/Block/ParagraphRenderer.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 701 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/ChildNodeRendererInterface.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 687 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/DocumentRendererInterface.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 1263 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/HtmlDecorator.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 2869 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/HtmlRenderer.php
│ │ │ +drwxr-xr-x 0 root (0) root (0) 0 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/Inline/
│ │ │ +-rw-r--r-- 0 root (0) root (0) 2012 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/Inline/NewlineRenderer.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 1339 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/Inline/TextRenderer.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 728 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/MarkdownRendererInterface.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 421 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/NoMatchingRendererException.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 662 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Renderer/NodeRendererInterface.php
│ │ │ +drwxr-xr-x 0 root (0) root (0) 0 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/
│ │ │ +-rw-r--r-- 0 root (0) root (0) 3476 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/ArrayCollection.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 1815 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/Html5EntityDecoder.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 4140 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/HtmlElement.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 1468 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/HtmlFilter.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 4942 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/LinkParserHelper.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 1641 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/PrioritizedList.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 10399 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/RegexHelper.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 2237 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/SpecReader.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 2619 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/UrlEncoder.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 738 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Util/Xml.php
│ │ │ +drwxr-xr-x 0 root (0) root (0) 0 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Xml/
│ │ │ +-rw-r--r-- 0 root (0) root (0) 2222 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Xml/FallbackNodeXmlRenderer.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 1604 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Xml/MarkdownToXmlConverter.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 610 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Xml/XmlNodeRendererInterface.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 4166 2025-05-05 12:20:28.000000 ./usr/share/php/League/CommonMark/Xml/XmlRenderer.php
│ │ │ +-rw-r--r-- 0 root (0) root (0) 39022 2025-05-05 14:16:52.000000 ./usr/share/php/League/CommonMark/autoload.php
│ │ │ +drwxr-xr-x 0 root (0) root (0) 0 2025-05-05 14:16:52.000000 ./usr/share/pkg-php-tools/
│ │ │ drwxr-xr-x 0 root (0) root (0) 0 2024-10-29 12:16:14.000000 ./usr/share/pkg-php-tools/autoloaders/
│ │ │ -rw-r--r-- 0 root (0) root (0) 49 2024-07-23 10:20:01.000000 ./usr/share/pkg-php-tools/autoloaders/php-league-commonmark
│ │ ├── ./usr/share/doc/php-league-commonmark/changelog.Debian.gz
│ │ │ ├── changelog.Debian
│ │ │ │ @@ -1,7 +1,15 @@
│ │ │ │ +php-league-commonmark (2.7.0-1) unstable; urgency=medium
│ │ │ │ +
│ │ │ │ + [ Colin O'Dell ]
│ │ │ │ + * Fix XSS in AttributesExtension
│ │ │ │ + * Prepare to release 2.7.0
│ │ │ │ +
│ │ │ │ + -- David Prévot <taffit@debian.org> Mon, 05 May 2025 16:16:52 +0200
│ │ │ │ +
│ │ │ │ php-league-commonmark (2.6.2-1) unstable; urgency=medium
│ │ │ │
│ │ │ │ [ Colin O'Dell ]
│ │ │ │ * Fix Attributes extension parsing regression (#1071)
│ │ │ │ * Prepare to release 2.6.2
│ │ │ │
│ │ │ │ [ David Prévot ]
│ │ ├── ./usr/share/doc/php-league-commonmark/changelog.gz
│ │ │ ├── changelog
│ │ │ │ @@ -2,14 +2,25 @@
│ │ │ │ All notable changes to this project will be documented in this file.
│ │ │ │ Updates should follow the [Keep a CHANGELOG](https://keepachangelog.com/) principles.
│ │ │ │
│ │ │ │ **Upgrading from 1.x?** See <https://commonmark.thephpleague.com/2.0/upgrading/> for additional information.
│ │ │ │
│ │ │ │ ## [Unreleased][unreleased]
│ │ │ │
│ │ │ │ +## [2.7.0]
│ │ │ │ +
│ │ │ │ +This is a **security release** to address a potential cross-site scripting (XSS) vulnerability when using the `AttributesExtension` with untrusted user input.
│ │ │ │ +
│ │ │ │ +### Added
│ │ │ │ +- Added `attributes/allow` config option to specify which attributes users are allowed to set on elements (default allows virtually all attributes)
│ │ │ │ +
│ │ │ │ +### Changed
│ │ │ │ +- The `AttributesExtension` blocks all attributes starting with `on` unless explicitly allowed via the `attributes/allow` config option
│ │ │ │ +- The `allow_unsafe_links` option is now respected by the `AttributesExtension` when users specify `href` and `src` attributes
│ │ │ │ +
│ │ │ │ ## [2.6.2] - 2025-04-18
│ │ │ │
│ │ │ │ ### Fixed
│ │ │ │
│ │ │ │ - Fixed Attributes extension parsing regression (#1071)
│ │ │ │
│ │ │ │ ## [2.6.1] - 2024-12-29
│ │ │ │ @@ -685,15 +696,16 @@
│ │ │ │ **The following things have been deprecated and will not be supported in v3.0:**
│ │ │ │
│ │ │ │ - `Environment::mergeConfig()` (set configuration before instantiation instead)
│ │ │ │ - `Environment::createCommonMarkEnvironment()` and `Environment::createGFMEnvironment()`
│ │ │ │ - Alternative 1: Use `CommonMarkConverter` or `GithubFlavoredMarkdownConverter` if you don't need to customize the environment
│ │ │ │ - Alternative 2: Instantiate a new `Environment` and add the necessary extensions yourself
│ │ │ │
│ │ │ │ -[unreleased]: https://github.com/thephpleague/commonmark/compare/2.6.1...2.6.2
│ │ │ │ +[unreleased]: https://github.com/thephpleague/commonmark/compare/2.7.0...HEAD
│ │ │ │ +[2.7.0]: https://github.com/thephpleague/commonmark/compare/2.6.2...2.7.0
│ │ │ │ [2.6.2]: https://github.com/thephpleague/commonmark/compare/2.6.1...2.6.2
│ │ │ │ [2.6.1]: https://github.com/thephpleague/commonmark/compare/2.6.0...2.6.1
│ │ │ │ [2.6.0]: https://github.com/thephpleague/commonmark/compare/2.5.3...2.6.0
│ │ │ │ [2.5.3]: https://github.com/thephpleague/commonmark/compare/2.5.2...2.5.3
│ │ │ │ [2.5.2]: https://github.com/thephpleague/commonmark/compare/2.5.1...2.5.2
│ │ │ │ [2.5.1]: https://github.com/thephpleague/commonmark/compare/2.5.0...2.5.1
│ │ │ │ [2.5.0]: https://github.com/thephpleague/commonmark/compare/2.4.4...2.5.0
│ │ ├── ./usr/share/php/League/CommonMark/Extension/Attributes/AttributesExtension.php
│ │ │ @@ -15,18 +15,30 @@
│ │ │ namespace League\CommonMark\Extension\Attributes;
│ │ │
│ │ │ use League\CommonMark\Environment\EnvironmentBuilderInterface;
│ │ │ use League\CommonMark\Event\DocumentParsedEvent;
│ │ │ use League\CommonMark\Extension\Attributes\Event\AttributesListener;
│ │ │ use League\CommonMark\Extension\Attributes\Parser\AttributesBlockStartParser;
│ │ │ use League\CommonMark\Extension\Attributes\Parser\AttributesInlineParser;
│ │ │ -use League\CommonMark\Extension\ExtensionInterface;
│ │ │ +use League\CommonMark\Extension\ConfigurableExtensionInterface; │ │ │ +use League\Config\ConfigurationBuilderInterface;
│ │ │ +use Nette\Schema\Expect;
│ │ │
│ │ │ -final class AttributesExtension implements ExtensionInterface
│ │ │ +final class AttributesExtension implements ConfigurableExtensionInterface
│ │ │ {
│ │ │ + public function configureSchema(ConfigurationBuilderInterface $builder): void
│ │ │ + {
│ │ │ + $builder->addSchema('attributes', Expect::structure([
│ │ │ + 'allow' => Expect::arrayOf('string')->default([]),
│ │ │ + ]));
│ │ │ + }
│ │ │ +
│ │ │ public function register(EnvironmentBuilderInterface $environment): void
│ │ │ {
│ │ │ + $allowList = $environment->getConfiguration()->get('attributes.allow');
│ │ │ + $allowUnsafeLinks = $environment->getConfiguration()->get('allow_unsafe_links');
│ │ │ +
│ │ │ $environment->addBlockStartParser(new AttributesBlockStartParser());
│ │ │ $environment->addInlineParser(new AttributesInlineParser());
│ │ │ - $environment->addEventListener(DocumentParsedEvent::class, [new AttributesListener(), 'processDocument']);
│ │ │ + $environment->addEventListener(DocumentParsedEvent::class, [new AttributesListener($allowList, $allowUnsafeLinks), 'processDocument']);
│ │ │ }
│ │ │ }
│ │ ├── ./usr/share/php/League/CommonMark/Extension/Attributes/Event/AttributesListener.php
│ │ │ @@ -25,14 +25,27 @@
│ │ │ use League\CommonMark\Node\Node;
│ │ │
│ │ │ final class AttributesListener
│ │ │ {
│ │ │ private const DIRECTION_PREFIX = 'prefix';
│ │ │ private const DIRECTION_SUFFIX = 'suffix';
│ │ │
│ │ │ + /** @var list<string> */
│ │ │ + private array $allowList;
│ │ │ + private bool $allowUnsafeLinks;
│ │ │ +
│ │ │ + /**
│ │ │ + * @param list<string> $allowList
│ │ │ + */
│ │ │ + public function __construct(array $allowList = [], bool $allowUnsafeLinks = true)
│ │ │ + {
│ │ │ + $this->allowList = $allowList;
│ │ │ + $this->allowUnsafeLinks = $allowUnsafeLinks;
│ │ │ + }
│ │ │ +
│ │ │ public function processDocument(DocumentParsedEvent $event): void
│ │ │ {
│ │ │ foreach ($event->getDocument()->iterator() as $node) {
│ │ │ if (! ($node instanceof Attributes || $node instanceof AttributesInline)) {
│ │ │ continue;
│ │ │ }
│ │ │
│ │ │ @@ -46,15 +59,15 @@
│ │ │
│ │ │ if ($direction === self::DIRECTION_SUFFIX) {
│ │ │ $attributes = AttributesHelper::mergeAttributes($target, $node->getAttributes());
│ │ │ } else {
│ │ │ $attributes = AttributesHelper::mergeAttributes($node->getAttributes(), $target);
│ │ │ }
│ │ │
│ │ │ - $target->data->set('attributes', $attributes);
│ │ │ + $target->data->set('attributes', AttributesHelper::filterAttributes($attributes, $this->allowList, $this->allowUnsafeLinks));
│ │ │ }
│ │ │
│ │ │ $node->detach();
│ │ │ }
│ │ │ }
│ │ │
│ │ │ /**
│ │ ├── ./usr/share/php/League/CommonMark/Extension/Attributes/Util/AttributesHelper.php
│ │ │ @@ -135,8 +135,46 @@
│ │ │
│ │ │ if (isset($attributes['class'])) {
│ │ │ $attributes['class'] = \implode(' ', $attributes['class']);
│ │ │ }
│ │ │
│ │ │ return $attributes;
│ │ │ }
│ │ │ +
│ │ │ + /**
│ │ │ + * @param array<string, mixed> $attributes
│ │ │ + * @param list<string> $allowList
│ │ │ + *
│ │ │ + * @return array<string, mixed>
│ │ │ + */
│ │ │ + public static function filterAttributes(array $attributes, array $allowList, bool $allowUnsafeLinks): array
│ │ │ + {
│ │ │ + $allowList = \array_fill_keys($allowList, true);
│ │ │ +
│ │ │ + foreach ($attributes as $name => $value) {
│ │ │ + $attrNameLower = \strtolower($name);
│ │ │ +
│ │ │ + // Remove any unsafe links
│ │ │ + if (! $allowUnsafeLinks && ($attrNameLower === 'href' || $attrNameLower === 'src') && \is_string($value) && RegexHelper::isLinkPotentiallyUnsafe($value)) {
│ │ │ + unset($attributes[$name]);
│ │ │ + continue;
│ │ │ + }
│ │ │ +
│ │ │ + // No allowlist?
│ │ │ + if ($allowList === []) {
│ │ │ + // Just remove JS event handlers
│ │ │ + if (\str_starts_with($attrNameLower, 'on')) {
│ │ │ + unset($attributes[$name]);
│ │ │ + }
│ │ │ +
│ │ │ + continue;
│ │ │ + }
│ │ │ +
│ │ │ + // Remove any attributes not in that allowlist (case-sensitive)
│ │ │ + if (! isset($allowList[$name])) {
│ │ │ + unset($attributes[$name]);
│ │ │ + }
│ │ │ + }
│ │ │ +
│ │ │ + return $attributes;
│ │ │ + }
│ │ │ }

--KvfobiQo61QIB6U6--

-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmgjcpcACgkQBYwc+UT2 vTynjwgAgSwyvMYxhrAPxbcFpahSk5K1T10VM0aef6+CHz3ei98YOQorfDrykjNl wftmhiiv8JjKkqZQL1XgjI+PgjZnsFY45Vi3WVOXQlkkhDAcxPag2LU08ElSYB5f kykhk3qFRVGUYGBlhyPP1UmeDn3W9JgJwYg25llFd9n6Azxnb1Nk3E4sN/aXTdAu xwBrZhw84p9u3w9ADYFvRH4F6iFqJalTnoqcRGcwozgd2YlGMF0wb8B5rPfjz5Oo B+BEqXxzXxIsKoCwM7usxTnRovKCjqp/h4A6Rq+eiyFV5aAXYvZlkWnu5jCIp2Kj HOgo3z1UJULP4hFwvxyYejLT76tOqg==
=7qeT
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)