Colinodell

**Name of the Vulnerable Software and Affected Versions** league/commonmark versions prior to 2.8.1 **Description** The `DisallowedRawHtml` extension in league/commonmark can be bypassed by inserting ASCII whitespace characters between a disallowed HTML tag name and the closing '>'. For example, `<script >` would pass through unfiltered and be rendered as a valid HTML tag by browsers. This creates a cross-site scripting (XSS) vector for applications relying on this extension to sanitize untrusted user input. Applications using a dedicated HTML sanitizer, such as HTML Purifier, on the rendered output are not affected. The issue stems from a regex character class that did not match all whitespace characters accepted by browsers as valid tag name terminators. **Recommendations** Versions prior to 2.8.1 should be updated to version 2.8.1 or later. As a workaround, set the `html input` configuration option to `'escape'` or `'strip'` to disable all raw HTML. Pass the rendered HTML through a dedicated HTML sanitizer before serving it to users.