Updated composer packages, updated release date

- symfony/polyfill-php80 (v1.31.0 => v1.32.0)
- symfony/polyfill-mbstring (v1.31.0 => v1.32.0)
- league/commonmark (2.6.2 => 2.7.0)
- phpmailer/phpmailer (v6.9.3 => v6.10.0)
- roave/security-advisories (dev-latest 6c54d20 => dev-latest c6007a5)
- symfony/polyfill-php73 (v1.31.0 => v1.32.0)
- symfony/polyfill-php74 (v1.31.0 => v1.32.0)
- symfony/polyfill-php81 (v1.31.0 => v1.32.0)
- symfony/polyfill-php82 (v1.31.0 => v1.32.0)
- symfony/polyfill-php83 (v1.31.0 => v1.32.0)

Author: slackero

composer.json

@@ -11,20 +11,20 @@
         "algo26-matthias/idna-convert": "^v3.2.0",
         "enshrined/svg-sanitize": "^0.21.0",
         "netcarver/textile": "v4.1.3",
-        "league/commonmark": "^2.6.2",
+        "league/commonmark": "^2.7.0",
         "ezyang/htmlpurifier": "^v4.18.0",
         "openpsa/universalfeedcreator": "^v1.9.0",
-        "phpmailer/phpmailer": "^v6.9.3",
+        "phpmailer/phpmailer": "^v6.10.0",
         "phpoffice/phpspreadsheet": "^1.29.10",
         "simplepie/simplepie": "@dev",
         "html2text/html2text": "^4.3.2",
-        "symfony/polyfill-mbstring": "^v1.31.0",
-        "symfony/polyfill-php73": "^v1.31.0",
-        "symfony/polyfill-php74": "^v1.31.0",
-        "symfony/polyfill-php80": "^v1.31.0",
-        "symfony/polyfill-php81": "^v1.31.0",
-        "symfony/polyfill-php82": "^v1.31.0",
-        "symfony/polyfill-php83": "^v1.31.0",
+        "symfony/polyfill-mbstring": "^v1.32.0",
+        "symfony/polyfill-php73": "^v1.32.0",
+        "symfony/polyfill-php74": "^v1.32.0",
+        "symfony/polyfill-php80": "^v1.32.0",
+        "symfony/polyfill-php81": "^v1.32.0",
+        "symfony/polyfill-php82": "^v1.32.0",
+        "symfony/polyfill-php83": "^v1.32.0",
         "ext-intl": "*",
         "ext-gd": "*",
         "ext-mysqli": "*",

include/inc_lib/revision/revision.php

@@ -10,5 +10,5 @@
  **/
 
 const PHPWCMS_VERSION = '1.9.46-dev';
-const PHPWCMS_RELEASE_DATE = '2025/04/12';
+const PHPWCMS_RELEASE_DATE = '2025/06/02';
 const PHPWCMS_REVISION = '553';

include/vendor/composer/installed.json

@@ -3,7 +3,7 @@
         'name' => '__root__',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => 'f029b03ebedee1a850a7f007f69bb71541346310',
+        'reference' => '07e14bb94f549f9fbe3ccd14dce86f81d77dd6c8',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         '__root__' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => 'f029b03ebedee1a850a7f007f69bb71541346310',
+            'reference' => '07e14bb94f549f9fbe3ccd14dce86f81d77dd6c8',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../../',
             'aliases' => array(),
@@ -83,9 +83,9 @@
             'dev_requirement' => false,
         ),
         'league/commonmark' => array(
-            'pretty_version' => '2.6.2',
-            'version' => '2.6.2.0',
-            'reference' => '06c3b0bf2540338094575612f4a1778d0d2d5e94',
+            'pretty_version' => '2.7.0',
+            'version' => '2.7.0.0',
+            'reference' => '6fbb36d44824ed4091adbcf4c7d4a3923cdb3405',
             'type' => 'library',
             'install_path' => __DIR__ . '/../league/commonmark',
             'aliases' => array(),
@@ -173,9 +173,9 @@
             'dev_requirement' => false,
         ),
         'phpmailer/phpmailer' => array(
-            'pretty_version' => 'v6.9.3',
-            'version' => '6.9.3.0',
-            'reference' => '2f5c94fe7493efc213f643c23b1b1c249d40f47e',
+            'pretty_version' => 'v6.10.0',
+            'version' => '6.10.0.0',
+            'reference' => 'bf74d75a1fde6beaa34a0ddae2ec5fce0f72a144',
             'type' => 'library',
             'install_path' => __DIR__ . '/../phpmailer/phpmailer',
             'aliases' => array(),
@@ -238,7 +238,7 @@
         'roave/security-advisories' => array(
             'pretty_version' => 'dev-latest',
             'version' => 'dev-latest',
-            'reference' => '6c54d20ae795b83ecf3f826311d7f488cd1ef005',
+            'reference' => 'c6007a53027047b08044448c57571988ac9b6e93',
             'type' => 'metapackage',
             'install_path' => null,
             'aliases' => array(
@@ -267,62 +267,62 @@
             'dev_requirement' => false,
         ),
         'symfony/polyfill-mbstring' => array(
-            'pretty_version' => 'v1.31.0',
-            'version' => '1.31.0.0',
-            'reference' => '85181ba99b2345b0ef10ce42ecac37612d9fd341',
+            'pretty_version' => 'v1.32.0',
+            'version' => '1.32.0.0',
+            'reference' => '6d857f4d76bd4b343eac26d6b539585d2bc56493',
             'type' => 'library',
             'install_path' => __DIR__ . '/../symfony/polyfill-mbstring',
             'aliases' => array(),
             'dev_requirement' => false,
         ),
         'symfony/polyfill-php73' => array(
-            'pretty_version' => 'v1.31.0',
-            'version' => '1.31.0.0',
+            'pretty_version' => 'v1.32.0',
+            'version' => '1.32.0.0',
             'reference' => '0f68c03565dcaaf25a890667542e8bd75fe7e5bb',
             'type' => 'library',
             'install_path' => __DIR__ . '/../symfony/polyfill-php73',
             'aliases' => array(),
             'dev_requirement' => false,
         ),
         'symfony/polyfill-php74' => array(
-            'pretty_version' => 'v1.31.0',
-            'version' => '1.31.0.0',
+            'pretty_version' => 'v1.32.0',
+            'version' => '1.32.0.0',
             'reference' => '9589537d05325fb5d88a20d8926823e5b827a43e',
             'type' => 'library',
             'install_path' => __DIR__ . '/../symfony/polyfill-php74',
             'aliases' => array(),
             'dev_requirement' => false,
         ),
         'symfony/polyfill-php80' => array(
-            'pretty_version' => 'v1.31.0',
-            'version' => '1.31.0.0',
-            'reference' => '60328e362d4c2c802a54fcbf04f9d3fb892b4cf8',
+            'pretty_version' => 'v1.32.0',
+            'version' => '1.32.0.0',
+            'reference' => '0cc9dd0f17f61d8131e7df6b84bd344899fe2608',
             'type' => 'library',
             'install_path' => __DIR__ . '/../symfony/polyfill-php80',
             'aliases' => array(),
             'dev_requirement' => false,
         ),
         'symfony/polyfill-php81' => array(
-            'pretty_version' => 'v1.31.0',
-            'version' => '1.31.0.0',
+            'pretty_version' => 'v1.32.0',
+            'version' => '1.32.0.0',
             'reference' => '4a4cfc2d253c21a5ad0e53071df248ed48c6ce5c',
             'type' => 'library',
             'install_path' => __DIR__ . '/../symfony/polyfill-php81',
             'aliases' => array(),
             'dev_requirement' => false,
         ),
         'symfony/polyfill-php82' => array(
-            'pretty_version' => 'v1.31.0',
-            'version' => '1.31.0.0',
+            'pretty_version' => 'v1.32.0',
+            'version' => '1.32.0.0',
             'reference' => '5d2ed36f7734637dacc025f179698031951b1692',
             'type' => 'library',
             'install_path' => __DIR__ . '/../symfony/polyfill-php82',
             'aliases' => array(),
             'dev_requirement' => false,
         ),
         'symfony/polyfill-php83' => array(
-            'pretty_version' => 'v1.31.0',
-            'version' => '1.31.0.0',
+            'pretty_version' => 'v1.32.0',
+            'version' => '1.32.0.0',
             'reference' => '2fb86d65e2d424369ad2905e83b236a8805ba491',
             'type' => 'library',
             'install_path' => __DIR__ . '/../symfony/polyfill-php83',

include/vendor/composer/installed.php

@@ -6,6 +6,17 @@ Updates should follow the [Keep a CHANGELOG](https://keepachangelog.com/) princi
 
 ## [Unreleased][unreleased]
 
+## [2.7.0]
+
+This is a **security release** to address a potential cross-site scripting (XSS) vulnerability when using the `AttributesExtension` with untrusted user input.
+
+### Added
+- Added `attributes/allow` config option to specify which attributes users are allowed to set on elements (default allows virtually all attributes)
+
+### Changed
+- The `AttributesExtension` blocks all attributes starting with `on` unless explicitly allowed via the `attributes/allow` config option
+- The `allow_unsafe_links` option is now respected by the `AttributesExtension` when users specify `href` and `src` attributes
+
 ## [2.6.2] - 2025-04-18
 
 ### Fixed
@@ -689,7 +700,8 @@ No changes were introduced since the previous release.
     - Alternative 1: Use `CommonMarkConverter` or `GithubFlavoredMarkdownConverter` if you don't need to customize the environment
     - Alternative 2: Instantiate a new `Environment` and add the necessary extensions yourself
 
-[unreleased]: https://github.com/thephpleague/commonmark/compare/2.6.1...2.6.2
+[unreleased]: https://github.com/thephpleague/commonmark/compare/2.7.0...HEAD
+[2.7.0]: https://github.com/thephpleague/commonmark/compare/2.6.2...2.7.0
 [2.6.2]: https://github.com/thephpleague/commonmark/compare/2.6.1...2.6.2
 [2.6.1]: https://github.com/thephpleague/commonmark/compare/2.6.0...2.6.1
 [2.6.0]: https://github.com/thephpleague/commonmark/compare/2.5.3...2.6.0

include/vendor/league/commonmark/CHANGELOG.md

@@ -115,7 +115,7 @@
     },
     "extra": {
         "branch-alias": {
-            "dev-main": "2.7-dev"
+            "dev-main": "2.8-dev"
         }
     },
     "config": {

include/vendor/league/commonmark/composer.json

@@ -19,14 +19,26 @@
 use League\CommonMark\Extension\Attributes\Event\AttributesListener;
 use League\CommonMark\Extension\Attributes\Parser\AttributesBlockStartParser;
 use League\CommonMark\Extension\Attributes\Parser\AttributesInlineParser;
-use League\CommonMark\Extension\ExtensionInterface;
+use League\CommonMark\Extension\ConfigurableExtensionInterface;
+use League\Config\ConfigurationBuilderInterface;
+use Nette\Schema\Expect;
 
-final class AttributesExtension implements ExtensionInterface
+final class AttributesExtension implements ConfigurableExtensionInterface
 {
+    public function configureSchema(ConfigurationBuilderInterface $builder): void
+    {
+        $builder->addSchema('attributes', Expect::structure([
+            'allow' => Expect::arrayOf('string')->default([]),
+        ]));
+    }
+
     public function register(EnvironmentBuilderInterface $environment): void
     {
+        $allowList        = $environment->getConfiguration()->get('attributes.allow');
+        $allowUnsafeLinks = $environment->getConfiguration()->get('allow_unsafe_links');
+
         $environment->addBlockStartParser(new AttributesBlockStartParser());
         $environment->addInlineParser(new AttributesInlineParser());
-        $environment->addEventListener(DocumentParsedEvent::class, [new AttributesListener(), 'processDocument']);
+        $environment->addEventListener(DocumentParsedEvent::class, [new AttributesListener($allowList, $allowUnsafeLinks), 'processDocument']);
     }
 }

include/vendor/league/commonmark/src/Extension/Attributes/AttributesExtension.php

@@ -29,6 +29,19 @@ final class AttributesListener
     private const DIRECTION_PREFIX = 'prefix';
     private const DIRECTION_SUFFIX = 'suffix';
 
+    /** @var list<string> */
+    private array $allowList;
+    private bool $allowUnsafeLinks;
+
+    /**
+     * @param list<string> $allowList
+     */
+    public function __construct(array $allowList = [], bool $allowUnsafeLinks = true)
+    {
+        $this->allowList        = $allowList;
+        $this->allowUnsafeLinks = $allowUnsafeLinks;
+    }
+
     public function processDocument(DocumentParsedEvent $event): void
     {
         foreach ($event->getDocument()->iterator() as $node) {
@@ -50,7 +63,7 @@ public function processDocument(DocumentParsedEvent $event): void
                     $attributes = AttributesHelper::mergeAttributes($node->getAttributes(), $target);
                 }
 
-                $target->data->set('attributes', $attributes);
+                $target->data->set('attributes', AttributesHelper::filterAttributes($attributes, $this->allowList, $this->allowUnsafeLinks));
             }
 
             $node->detach();

include/vendor/league/commonmark/src/Extension/Attributes/Event/AttributesListener.php

@@ -139,4 +139,42 @@ public static function mergeAttributes($attributes1, $attributes2): array
 
         return $attributes;
     }
+
+    /**
+     * @param array<string, mixed> $attributes
+     * @param list<string>         $allowList
+     *
+     * @return array<string, mixed>
+     */
+    public static function filterAttributes(array $attributes, array $allowList, bool $allowUnsafeLinks): array
+    {
+        $allowList = \array_fill_keys($allowList, true);
+
+        foreach ($attributes as $name => $value) {
+            $attrNameLower = \strtolower($name);
+
+            // Remove any unsafe links
+            if (! $allowUnsafeLinks && ($attrNameLower === 'href' || $attrNameLower === 'src') && \is_string($value) && RegexHelper::isLinkPotentiallyUnsafe($value)) {
+                unset($attributes[$name]);
+                continue;
+            }
+
+            // No allowlist?
+            if ($allowList === []) {
+                // Just remove JS event handlers
+                if (\str_starts_with($attrNameLower, 'on')) {
+                    unset($attributes[$name]);
+                }
+
+                continue;
+            }
+
+            // Remove any attributes not in that allowlist (case-sensitive)
+            if (! isset($allowList[$name])) {
+                unset($attributes[$name]);
+            }
+        }
+
+        return $attributes;
+    }
 }