Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Markdown Extra
Assessments

Markdown Extra Laravel Package

twig/markdown-extra

Twig extension adding Markdown support to templates. Provides markdown_to_html and html_to_markdown filters to convert Markdown blocks to HTML and turn HTML back into Markdown, making it easy to render or edit rich content in Twig views.

View on GitHub
Deep Wiki
Context7

Technical Evaluation

Architecture Fit

  • Enhanced Security Model: The new release (v3.26.0) prioritizes security with a critical fix for CVE-2026-46637, addressing XSS vulnerabilities in HTML-emitting filters (e.g., markdown_to_html). This aligns with Laravel’s security-first philosophy and reduces risk for user-generated content workflows (e.g., wikis, CMS, or comment systems).
    • Pre-escaping Input: The fix introduces auto-escaping for untrusted input in Twig filters, mitigating XSS without requiring manual sanitization in most cases. This is a game-changer for Laravel apps handling dynamic Markdown.
    • Backward Compatibility: The change is non-breaking but enforces stricter defaults, which may require updates to custom filters or extensions that bypass escaping.
  • Bidirectional Workflow Strengths:
    • The package’s core value—seamless HTML ↔ Markdown conversion—remains unchanged but is now safer for production use.
    • Ideal for Laravel use cases like:
      • Legacy HTML migration to Markdown (e.g., converting old blog posts).
      • Hybrid CMS workflows (e.g., storing content in Markdown but rendering dynamic HTML snippets).
  • Extensibility:
    • Custom filters can still override behavior, but must now account for pre-escaping. Example: 
      // Custom filter (must handle escaping manually if needed)
$twig->addFilter('unsafe_markdown', function($content) {
    $markdown = new \Michelf\MarkdownExtra();
    return $markdown->transform($content); // No auto-escaping
});
  • Performance:
    • No changes to performance characteristics. The security fix adds minimal overhead (pre-escaping is lightweight).
    • Caching recommendations remain valid for high-throughput scenarios.

Integration Feasibility

  • Laravel Compatibility:
    • No breaking changes to Laravel integration. The security fix is internal to the Twig extension and doesn’t affect registration or usage syntax.
    • Laravel 10/11: Fully compatible. For Laravel 9, test markdown_to_html with user-generated content to ensure escaping works as expected.
  • Dependency Risks:
    • Critical: Update twig/markdown-extra to v3.26.0 to patch CVE-2026-46637.
    • Secondary: Ensure symfony/markdown is also updated (v6.4+ recommended).
    • No conflicts with Laravel’s core or other Twig extensions.
  • Testing Effort:
    • High Priority: Retest user-generated Markdown scenarios to validate:
      • Auto-escaping behavior in Blade templates.
      • Custom filters that may need to opt out of escaping.
    • Recommended Tests:
      • XSS payloads (e.g., <script>alert(1)</script> in Markdown) should render as text.
      • Edge cases like malformed HTML in Markdown.
      • Integration with Laravel’s {{ $var|e }} escaping filter.
  • Configuration Overhead:
    • Unchanged: Still requires one-line registration in a service provider or config/twig.php.
    • New Consideration: Document the security implications of custom filters in your team’s style guide.

Technical Risk

Risk Area Updated Assessment Mitigation Strategy
Security High Priority: CVE-2026-46637 affects all apps using markdown_to_html with untrusted input. Immediate: Update to v3.26.0. Test user-generated content workflows.
Breaking Changes Low: Non-breaking, but custom filters may need updates if they rely on unescaped output. Audit custom Twig filters for manual escaping logic. Use `{{ $var
Performance Low: Pre-escaping adds negligible overhead. Monitor in high-traffic templates; cache as before.
Twig Version Lock Low: Twig 3.x (Laravel 10+) is unaffected. No action required.
Customization Limits Medium: Custom filters must now handle escaping manually. Provide a whitelist mechanism for trusted content (e.g., admin-only Markdown).
PHP Version Requirements Medium: PHP 8.1+ required (no change). Upgrade if using PHP 8.0; test compatibility if stuck on 8.0.

Key Questions

  1. Security Validation:
    • Have you audited all user-generated Markdown workflows (e.g., comments, wikis) for XSS risks? If yes, confirm the fix resolves them.
    • Should custom filters be restricted to trusted roles (e.g., admins) to avoid bypassing escaping?
  2. Fallback Strategy:
    • With auto-escaping enabled, how should legitimate HTML snippets (e.g., <code> blocks) be handled? Options:
      • Use Markdown’s HTML block syntax (e.g., html <div>...</div> ).
      • Create a whitelisted safe_markdown filter for trusted content.
  3. Custom Filter Review:
    • Do any existing custom Twig filters disable escaping? If yes, update them to:
      • Opt into escaping (default).
      • Or document why they require raw output (e.g., for internal tools).
  4. Third-Party Integrations:
    • Are there external services (e.g., GitHub, Notion) that inject HTML into your Markdown? If yes, test their output with the new escaping rules.
  5. Deprecation Warnings:
    • Monitor for future deprecations in symfony/markdown v6.x, which may affect long-term compatibility.
  6. Localization Impact:
    • Could auto-escaping break localized content (e.g., HTML entities in translations)? Test with non-ASCII Markdown.
  7. Rollback Plan:
    • If issues arise, can you downgrade to v3.22.0? If not, implement a feature flag for the Twig extension.

Integration Approach

Stack Fit

  • Laravel Blade/Twig:
    • Native fit remains unchanged. The security fix strengthens the package’s suitability for Laravel’s templating system.
    • Critical for: Apps handling user-generated Markdown (e.g., forums, documentation, CMS).
  • Dependency Graph:
    • Primary: twig/markdown-extra (now v3.26.0).
    • Secondary: symfony/markdown (v6.4+ recommended).
    • No conflicts with Laravel’s core or other Twig extensions.
  • PHP Version:
    • Requires PHP 8.1+ (no change). If using PHP 8.0, evaluate alternatives or upgrade.
  • Alternatives:
    • Parsedown: Lighter but lacks bidirectional support and security fixes.
    • Custom Solution: Rolling your own Markdown parser is not recommended due to maintenance overhead and security risks.

Migration Path

  1. Update Dependencies: 
    composer require twig/markdown-extra:^3.26.0 symfony/markdown:^6.4.0
  2. Re-register the Extension (if not already done): 
    // app/Providers/AppServiceProvider.php
use Twig\Extra\Markdown\MarkdownExtension;

public function boot()
{
    $this->app->make('twig')->addExtension(new MarkdownExtension());
}
  3. Test User-Generated Content:
    • Verify that XSS payloads (e.g., <script>alert(1)</script>) render as text: 
      {{ "<script>alert(1)</script>"|markdown_to_html }} <!-- Should output: &lt;script&gt;alert(1)&lt;/script&gt; -->
  4. Update Custom Filters (if applicable):
    • Example: Opt out of escaping for trusted content: 
      $twig->addFilter('admin_markdown', function($content) {
    $markdown = new \Michelf\MarkdownExtra();
    return $markdown->transform($content); // No auto-escaping
});
  5. Sanitization Layer (optional for extra safety):
    • Use Laravel’s Str::of(html)->allowedTags() for granular control: 
      {{ $userMarkdown|markdown_to_html|e('html')|Str::of()->allowedTags('<p><a><strong>') }}

Compatibility

  • **Laravel Vers
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
emuniq/filament-browser-notifications
syriable/filament-translator
hungnm28/livewire-form
wenprise/eloquent
crudly/encrypted
fadion/bouncy
cuci/prototurk-sdk
gos/pubsub-router-bundle
cuci/prototurk-sdk-symfony
clementtalleu/easyadmin-markdown-bundle
codeflextech/permission-manager
karnoweb/livewire-datepicker
sayedenam/sayed-dashboard
milito/query-filter
apiboxsym/user-bundle
apiboxsym/health-check-bundle
jayeshmepani/jpl-moshier-ephemeris-php
elnasnato/laraliveui
labrodev/rest-sdk
sampaui/sampaui