Addresses SSRF risk

2026-04-14 00:34:05 +00:00 · 2026-03-21 19:14:51 +01:00
parent d4e19646ee
commit 07757e747e
7 changed files with 124 additions and 4 deletions
--- a/app/Support/PdfHtmlSanitizer.php
+++ b/app/Support/PdfHtmlSanitizer.php
@@ -0,0 +1,86 @@
+<?php
+
+namespace App\Support;
+
+use DOMDocument;
+use DOMElement;
+use DOMXPath;
+
+final class PdfHtmlSanitizer
+{
+    /**
+     * Sanitize HTML that will be rendered inside Dompdf. Removes tags that can trigger
+     * network requests (SSRF) or carry executable handlers, while keeping common
+     * text-formatting markup used in invoice/estimate/payment notes.
+     */
+    public static function sanitize(string $html): string
+    {
+        if ($html === '') {
+            return '';
+        }
+
+        $allowedTags = '<br><br/><p><b><strong><i><em><u><ol><ul><li><table><tr><td><th><thead><tbody><tfoot><h1><h2><h3><h4><blockquote>';
+        $html = strip_tags($html, $allowedTags);
+
+        $previous = libxml_use_internal_errors(true);
+
+        $doc = new DOMDocument;
+        $wrapped = '<?xml encoding="UTF-8"?><div id="__pdf_notes">'.$html.'</div>';
+        $doc->loadHTML($wrapped, LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD);
+        libxml_clear_errors();
+        libxml_use_internal_errors($previous);
+
+        $xpath = new DOMXPath($doc);
+        $root = $xpath->query('//*[@id="__pdf_notes"]')->item(0);
+
+        if (! $root instanceof DOMElement) {
+            return $html;
+        }
+
+        foreach ($xpath->query('.//*', $root) as $element) {
+            if (! $element instanceof DOMElement) {
+                continue;
+            }
+
+            $toRemove = [];
+
+            foreach ($element->attributes as $attr) {
+                if (self::shouldRemoveAttribute($attr->name)) {
+                    $toRemove[] = $attr->name;
+                }
+            }
+
+            foreach ($toRemove as $name) {
+                $element->removeAttribute($name);
+            }
+        }
+
+        $result = '';
+
+        foreach ($root->childNodes as $child) {
+            $result .= $doc->saveHTML($child);
+        }
+
+        return $result;
+    }
+
+    private static function shouldRemoveAttribute(string $name): bool
+    {
+        $lower = strtolower($name);
+
+        if (str_starts_with($lower, 'on')) {
+            return true;
+        }
+
+        return in_array($lower, [
+            'style',
+            'src',
+            'href',
+            'srcset',
+            'srcdoc',
+            'poster',
+            'formaction',
+            'xlink:href',
+        ], true);
+    }
+}