CVE-2026-30838

描述

### Impact The `DisallowedRawHtml` extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing `>`. For example, `<script\n>` would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the `DisallowedRawHtml` extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. ### Patches Fixed in 2.8.1. The regex character class `[ \/>]` was changed to `[\s\/>]` to match all whitespace characters that browsers accept as valid tag name terminators. ### Workarounds - Set the `html_input` configuration option to `'escape'` or `'strip'` to disable all raw HTML, though this is a broader restriction than the `DisallowedRawHtml` extension provides. - Pass the rendered HTML through a dedicated HTML sanitizer before serving it to users ([always recommended](https://commonmark.thephpleague.com/2.x/security/#additional-filtering))

受影響套件(2)

• Debian/php-league-commonmarkfrom 0
• Packagist/league/commonmark>= 2.0.0, < 2.8.1

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-30838
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-30838
• PATCHhttps://github.com/thephpleague/commonmark
• WEBhttps://commonmark.thephpleague.com/extensions/disallowed-raw-html
• WEBhttps://github.com/thephpleague/commonmark/security/advisories/GHSA-4v6x-c7xx-hw9f