Merge commit from fork

Fix DisallowedRawHtml bypass via whitespace in HTML tag names

Author: colinodell

CHANGELOG.md

@@ -6,6 +6,13 @@ Updates should follow the [Keep a CHANGELOG](https://keepachangelog.com/) princi
 
 ## [Unreleased][unreleased]
 
+## [2.8.1] - 2026-03-05
+
+This is a **security release** to address an issue where `DisallowedRawHtml` can be bypassed, resulting in a possible cross-site scripting (XSS) vulnerability.
+
+### Fixed
+- Fixed `DisallowedRawHtmlRenderer` not blocking raw HTML tags with trailing ASCII whitespace (GHSA-4v6x-c7xx-hw9f)
+
 ## [2.8.0] - 2025-11-26
 
 ### Added
@@ -717,7 +724,8 @@ No changes were introduced since the previous release.
     - Alternative 1: Use `CommonMarkConverter` or `GithubFlavoredMarkdownConverter` if you don't need to customize the environment
     - Alternative 2: Instantiate a new `Environment` and add the necessary extensions yourself
 
-[unreleased]: https://github.com/thephpleague/commonmark/compare/2.8.0...HEAD
+[unreleased]: https://github.com/thephpleague/commonmark/compare/2.8.1...HEAD
+[2.8.1]: https://github.com/thephpleague/commonmark/compare/2.8.0...2.8.1
 [2.8.0]: https://github.com/thephpleague/commonmark/compare/2.7.1...2.8.0
 [2.7.1]: https://github.com/thephpleague/commonmark/compare/2.7.0...2.7.1
 [2.7.0]: https://github.com/thephpleague/commonmark/compare/2.6.2...2.7.0

src/Extension/DisallowedRawHtml/DisallowedRawHtmlRenderer.php

@@ -45,7 +45,7 @@ public function render(Node $node, ChildNodeRendererInterface $childRenderer): ?
             return $rendered;
         }
 
-        $regex = \sprintf('/<(\/?(?:%s)[ \/>])/i', \implode('|', \array_map('preg_quote', $tags)));
+        $regex = \sprintf('/<(\/?(?:%s)[\s\/>])/i', \implode('|', \array_map('preg_quote', $tags)));
 
         // Match these types of tags: <title> </title> <title x="sdf"> <title/> <title />
         return \preg_replace($regex, '&lt;$1', $rendered);

tests/unit/Extension/DisallowedRawHtml/DisallowedRawHtmlRendererTest.php

@@ -71,6 +71,16 @@ public static function dataProviderForTestWithDefaultSettings(): iterable
         yield ['<script>', '&lt;script>'];
         yield ['<plaintext>', '&lt;plaintext>'];
 
+        // Newline/whitespace bypass attempts (security fix)
+        yield ['<script   >', '&lt;script   >'];
+        yield ["<script\n>", "&lt;script\n>"];
+        yield ["<script\t>", "&lt;script\t>"];
+        yield ["<script\r\n>", "&lt;script\r\n>"];
+        yield ["<iframe\nwidth=\"560\">", "&lt;iframe\nwidth=\"560\">"];
+
+        // Ensure non-disallowed tags with similar names are NOT filtered
+        yield ['<scriptfoo>', '<scriptfoo>'];
+
         // Tags not escaped by default
         yield ['<strong>', '<strong>'];
     }
@@ -107,6 +117,11 @@ public static function dataProviderForTestWithCustomSettings(): iterable
         yield ['<strong/>', '&lt;strong/>'];
         yield ['<strong />', '&lt;strong />'];
 
+        // Newline bypass with custom config
+        yield ['<strong   >', '&lt;strong   >'];
+        yield ["<strong\n>", "&lt;strong\n>"];
+        yield ["<strong\t>", "&lt;strong\t>"];
+
         // Defaults that I didn't include in my custom config
         yield ['<title>', '<title>'];
         yield ['<textarea>', '<textarea>'];