diff --git a/app/Models/Estimate.php b/app/Models/Estimate.php
index cafacfc1..353996fc 100644
--- a/app/Models/Estimate.php
+++ b/app/Models/Estimate.php
@@ -8,7 +8,6 @@ use App\Facades\PDF;
 use App\Mail\SendEstimateMail;
 use App\Services\SerialNumberFormatter;
 use App\Space\PdfTemplateUtils;
-use App\Support\PdfHtmlSanitizer;
 use App\Traits\GeneratesPdfTrait;
 use App\Traits\HasCustomFieldsTrait;
 use Carbon\Carbon;
@@ -476,7 +475,7 @@ class Estimate extends Model implements HasMedia
 
     public function getNotes()
     {
-        return PdfHtmlSanitizer::sanitize($this->getFormattedString($this->notes));
+        return $this->getFormattedString($this->notes);
     }
 
     public function getEmailAttachmentSetting()
diff --git a/app/Models/Invoice.php b/app/Models/Invoice.php
index a56e035b..fb13ce52 100644
--- a/app/Models/Invoice.php
+++ b/app/Models/Invoice.php
@@ -8,7 +8,6 @@ use App\Facades\PDF;
 use App\Mail\SendInvoiceMail;
 use App\Services\SerialNumberFormatter;
 use App\Space\PdfTemplateUtils;
-use App\Support\PdfHtmlSanitizer;
 use App\Traits\GeneratesPdfTrait;
 use App\Traits\HasCustomFieldsTrait;
 use Carbon\Carbon;
@@ -657,7 +656,7 @@ class Invoice extends Model implements HasMedia
 
     public function getNotes()
     {
-        return PdfHtmlSanitizer::sanitize($this->getFormattedString($this->notes));
+        return $this->getFormattedString($this->notes);
     }
 
     public function getEmailString($body)
diff --git a/app/Models/Payment.php b/app/Models/Payment.php
index e3b3193f..b52a1e58 100644
--- a/app/Models/Payment.php
+++ b/app/Models/Payment.php
@@ -6,7 +6,6 @@ use App\Facades\Hashids;
 use App\Jobs\GeneratePaymentPdfJob;
 use App\Mail\SendPaymentMail;
 use App\Services\SerialNumberFormatter;
-use App\Support\PdfHtmlSanitizer;
 use App\Traits\GeneratesPdfTrait;
 use App\Traits\HasCustomFieldsTrait;
 use Barryvdh\DomPDF\Facade\Pdf as PDF;
@@ -434,7 +433,7 @@ class Payment extends Model implements HasMedia
 
     public function getNotes()
     {
-        return PdfHtmlSanitizer::sanitize($this->getFormattedString($this->notes));
+        return $this->getFormattedString($this->notes);
     }
 
     public function getEmailBody($body)
diff --git a/app/Traits/GeneratesPdfTrait.php b/app/Traits/GeneratesPdfTrait.php
index 623d33e8..3c03ff6c 100644
--- a/app/Traits/GeneratesPdfTrait.php
+++ b/app/Traits/GeneratesPdfTrait.php
@@ -5,6 +5,7 @@ namespace App\Traits;
 use App\Models\Address;
 use App\Models\CompanySetting;
 use App\Models\FileDisk;
+use App\Support\PdfHtmlSanitizer;
 use Carbon\Carbon;
 use Illuminate\Support\Facades\App;
 
@@ -182,6 +183,10 @@ trait GeneratesPdfTrait
 
         $str = str_replace('</p>', '<br />', $str);
 
-        return $str;
+        // Sanitize the assembled HTML to strip any SSRF vectors that may have
+        // entered through user-supplied address fields, customer names, or
+        // custom field values. Notes also pass through this method, so they
+        // get the same treatment without needing a separate wrapper.
+        return PdfHtmlSanitizer::sanitize($str);
     }
 }
diff --git a/tests/Unit/PdfHtmlSanitizerTest.php b/tests/Unit/PdfHtmlSanitizerTest.php
index d94120f4..12f8f152 100644
--- a/tests/Unit/PdfHtmlSanitizerTest.php
+++ b/tests/Unit/PdfHtmlSanitizerTest.php
@@ -34,3 +34,39 @@ it('normalizes legacy closing-br markup so lines are not collapsed in PDF output
     expect($out)->toContain('<br')->toContain('line1')->toContain('line2');
     expect($out)->not->toBe('line1line2');
 });
+
+it('strips SSRF vectors injected via address-template placeholders', function () {
+    // Simulates the output of GeneratesPdfTrait::getFormattedString() after a
+    // malicious customer name like "Acme <img src='http://attacker/probe'>" has
+    // been substituted into an address template via {BILLING_ADDRESS_NAME}.
+    $html = "Acme <img src='http://attacker.test/probe'><br />123 Main St<br />Springfield";
+
+    $out = PdfHtmlSanitizer::sanitize($html);
+
+    expect($out)->not->toContain('<img');
+    expect($out)->not->toContain('src=');
+    expect($out)->not->toContain('attacker.test');
+    expect($out)->toContain('Acme');
+    expect($out)->toContain('123 Main St');
+    expect($out)->toContain('Springfield');
+});
+
+it('strips iframe and link tags that could trigger SSRF', function () {
+    $html = '<iframe src="http://attacker/x"></iframe><link rel="stylesheet" href="http://attacker/y.css">Hello';
+
+    $out = PdfHtmlSanitizer::sanitize($html);
+
+    expect($out)->not->toContain('<iframe');
+    expect($out)->not->toContain('<link');
+    expect($out)->not->toContain('attacker');
+    expect($out)->toContain('Hello');
+});
+
+it('strips on* event handler attributes from allowed tags', function () {
+    $html = '<p onload="alert(1)" onclick="x">click me</p>';
+
+    $out = PdfHtmlSanitizer::sanitize($html);
+
+    expect($out)->not->toContain('onload')->not->toContain('onclick')->not->toContain('alert');
+    expect($out)->toContain('click me');
+});