From 07757e747e99b2000df4cb381de2d6bbeb235b67 Mon Sep 17 00:00:00 2001
From: mchev <martin.chevignard@gmail.com>
Date: Sat, 21 Mar 2026 19:14:51 +0100
Subject: [PATCH] Addresses SSRF risk

---
 .env.example                        |  4 ++
 app/Models/Estimate.php             |  3 +-
 app/Models/Invoice.php              |  3 +-
 app/Models/Payment.php              |  3 +-
 app/Support/PdfHtmlSanitizer.php    | 86 +++++++++++++++++++++++++++++
 config/dompdf.php                   |  2 +-
 tests/Unit/PdfHtmlSanitizerTest.php | 27 +++++++++
 7 files changed, 124 insertions(+), 4 deletions(-)
 create mode 100644 app/Support/PdfHtmlSanitizer.php
 create mode 100644 tests/Unit/PdfHtmlSanitizerTest.php

diff --git a/.env.example b/.env.example
index 4b158bf0..89e85750 100644
--- a/.env.example
+++ b/.env.example
@@ -17,3 +17,7 @@ DB_PASSWORD=
 SESSION_DOMAIN=null
 SANCTUM_STATEFUL_DOMAIN=
 TRUSTED_PROXIES="*"
+
+# Dompdf: keep false so untrusted HTML in PDF notes cannot trigger outbound requests (SSRF).
+# Set true only if you fully trust all PDF HTML and need remote images/CSS.
+DOMPDF_ENABLE_REMOTE=false
diff --git a/app/Models/Estimate.php b/app/Models/Estimate.php
index 353996fc..cafacfc1 100644
--- a/app/Models/Estimate.php
+++ b/app/Models/Estimate.php
@@ -8,6 +8,7 @@ use App\Facades\PDF;
 use App\Mail\SendEstimateMail;
 use App\Services\SerialNumberFormatter;
 use App\Space\PdfTemplateUtils;
+use App\Support\PdfHtmlSanitizer;
 use App\Traits\GeneratesPdfTrait;
 use App\Traits\HasCustomFieldsTrait;
 use Carbon\Carbon;
@@ -475,7 +476,7 @@ class Estimate extends Model implements HasMedia
 
     public function getNotes()
     {
-        return $this->getFormattedString($this->notes);
+        return PdfHtmlSanitizer::sanitize($this->getFormattedString($this->notes));
     }
 
     public function getEmailAttachmentSetting()
diff --git a/app/Models/Invoice.php b/app/Models/Invoice.php
index 3f88a2c7..f77c6e05 100644
--- a/app/Models/Invoice.php
+++ b/app/Models/Invoice.php
@@ -8,6 +8,7 @@ use App\Facades\PDF;
 use App\Mail\SendInvoiceMail;
 use App\Services\SerialNumberFormatter;
 use App\Space\PdfTemplateUtils;
+use App\Support\PdfHtmlSanitizer;
 use App\Traits\GeneratesPdfTrait;
 use App\Traits\HasCustomFieldsTrait;
 use Carbon\Carbon;
@@ -644,7 +645,7 @@ class Invoice extends Model implements HasMedia
 
     public function getNotes()
     {
-        return $this->getFormattedString($this->notes);
+        return PdfHtmlSanitizer::sanitize($this->getFormattedString($this->notes));
     }
 
     public function getEmailString($body)
diff --git a/app/Models/Payment.php b/app/Models/Payment.php
index b52a1e58..e3b3193f 100644
--- a/app/Models/Payment.php
+++ b/app/Models/Payment.php
@@ -6,6 +6,7 @@ use App\Facades\Hashids;
 use App\Jobs\GeneratePaymentPdfJob;
 use App\Mail\SendPaymentMail;
 use App\Services\SerialNumberFormatter;
+use App\Support\PdfHtmlSanitizer;
 use App\Traits\GeneratesPdfTrait;
 use App\Traits\HasCustomFieldsTrait;
 use Barryvdh\DomPDF\Facade\Pdf as PDF;
@@ -433,7 +434,7 @@ class Payment extends Model implements HasMedia
 
     public function getNotes()
     {
-        return $this->getFormattedString($this->notes);
+        return PdfHtmlSanitizer::sanitize($this->getFormattedString($this->notes));
     }
 
     public function getEmailBody($body)
diff --git a/app/Support/PdfHtmlSanitizer.php b/app/Support/PdfHtmlSanitizer.php
new file mode 100644
index 00000000..95d16558
--- /dev/null
+++ b/app/Support/PdfHtmlSanitizer.php
@@ -0,0 +1,86 @@
+<?php
+
+namespace App\Support;
+
+use DOMDocument;
+use DOMElement;
+use DOMXPath;
+
+final class PdfHtmlSanitizer
+{
+    /**
+     * Sanitize HTML that will be rendered inside Dompdf. Removes tags that can trigger
+     * network requests (SSRF) or carry executable handlers, while keeping common
+     * text-formatting markup used in invoice/estimate/payment notes.
+     */
+    public static function sanitize(string $html): string
+    {
+        if ($html === '') {
+            return '';
+        }
+
+        $allowedTags = '<br><br/><p><b><strong><i><em><u><ol><ul><li><table><tr><td><th><thead><tbody><tfoot><h1><h2><h3><h4><blockquote>';
+        $html = strip_tags($html, $allowedTags);
+
+        $previous = libxml_use_internal_errors(true);
+
+        $doc = new DOMDocument;
+        $wrapped = '<?xml encoding="UTF-8"?><div id="__pdf_notes">'.$html.'</div>';
+        $doc->loadHTML($wrapped, LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD);
+        libxml_clear_errors();
+        libxml_use_internal_errors($previous);
+
+        $xpath = new DOMXPath($doc);
+        $root = $xpath->query('//*[@id="__pdf_notes"]')->item(0);
+
+        if (! $root instanceof DOMElement) {
+            return $html;
+        }
+
+        foreach ($xpath->query('.//*', $root) as $element) {
+            if (! $element instanceof DOMElement) {
+                continue;
+            }
+
+            $toRemove = [];
+
+            foreach ($element->attributes as $attr) {
+                if (self::shouldRemoveAttribute($attr->name)) {
+                    $toRemove[] = $attr->name;
+                }
+            }
+
+            foreach ($toRemove as $name) {
+                $element->removeAttribute($name);
+            }
+        }
+
+        $result = '';
+
+        foreach ($root->childNodes as $child) {
+            $result .= $doc->saveHTML($child);
+        }
+
+        return $result;
+    }
+
+    private static function shouldRemoveAttribute(string $name): bool
+    {
+        $lower = strtolower($name);
+
+        if (str_starts_with($lower, 'on')) {
+            return true;
+        }
+
+        return in_array($lower, [
+            'style',
+            'src',
+            'href',
+            'srcset',
+            'srcdoc',
+            'poster',
+            'formaction',
+            'xlink:href',
+        ], true);
+    }
+}
diff --git a/config/dompdf.php b/config/dompdf.php
index 8be2d1f4..10841831 100644
--- a/config/dompdf.php
+++ b/config/dompdf.php
@@ -227,7 +227,7 @@ return [
          *
          * @var bool
          */
-        'enable_remote' => true,
+        'enable_remote' => env('DOMPDF_ENABLE_REMOTE', false),
 
         /**
          * A ratio applied to the fonts height to be more like browsers' line height
diff --git a/tests/Unit/PdfHtmlSanitizerTest.php b/tests/Unit/PdfHtmlSanitizerTest.php
new file mode 100644
index 00000000..c28ed3af
--- /dev/null
+++ b/tests/Unit/PdfHtmlSanitizerTest.php
@@ -0,0 +1,27 @@
+<?php
+
+use App\Support\PdfHtmlSanitizer;
+
+it('removes img tags that could trigger SSRF during PDF rendering', function () {
+    $html = "<p>Hi</p><img src='http://example.com/x'>";
+
+    expect(PdfHtmlSanitizer::sanitize($html))->not->toContain('<img');
+});
+
+it('preserves basic formatting tags', function () {
+    $html = '<p><b>Bold</b> and <i>italic</i></p>';
+
+    expect(PdfHtmlSanitizer::sanitize($html))->toContain('<b>')->toContain('<i>');
+});
+
+it('strips style and link attributes that may carry URLs', function () {
+    $html = '<p style="background:url(http://example.com/)">x</p><a href="http://evil">y</a>';
+
+    $out = PdfHtmlSanitizer::sanitize($html);
+
+    expect($out)->not->toContain('style=')->not->toContain('href=')->not->toContain('example.com');
+});
+
+it('returns empty string for empty input', function () {
+    expect(PdfHtmlSanitizer::sanitize(''))->toBe('');
+});