Skip to content

v1.5.5

Choose a tag to compare

View all tags
@BenjaminHoegh BenjaminHoegh released this 25 Apr 18:30
· 47 commits to 1.x since this release
v1.5.5
db787ed

Security

Previously, the generated ToC was first built as a Markdown list and then passed back through Parsedown for HTML rendering. In this release, the ToC is rendered directly as escaped HTML from the collected heading data.
This reduces the risk of unsafe Markdown/HTML interpretation from heading text, generated IDs, and ToC link values.

What's Changed

  • Reworked ToC HTML generation to render directly from the internal contents list.
  • Removed the legacy intermediate Markdown-list rendering step for contentsList('html') and contentsList('string').
  • Escaped ToC link text using htmlspecialchars().
  • Escaped ToC link href attributes using htmlspecialchars().
  • Escaped the ToC container id attribute.
  • Refactor attribute assignment for heading IDs by @ArnaudLigny in #28

Full Changelog: v1.5.4...v1.5.5

Contributors

ArnaudLigny
Assets 2
Loading