improve the security service

spipu · spipu · commit b5242416105d · 2025-06-04T10:26:44.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 All notable changes to this project will be documented in this file.
 
+## [5.3.3](https://github.com/spipu/html2pdf/compare/v5.3.2...v5.3.3) - 2025-06-04
+
+  * improve the security service
+
 ## [5.3.2](https://github.com/spipu/html2pdf/compare/v5.3.1...v5.3.2) - 2025-04-25
 
   * add readonly attribute support for input and textarea - thanks to @kkevinchoo
diff --git a/doc/security.md b/doc/security.md
@@ -15,6 +15,18 @@ You can add a specific host to be allowed for http/https scheme. By default, the
 $html2pdf->getSecurityService()->addAllowedHost('www.html2pdf.fr');
 ```
 
+You can reset the list of allowed hosts for http/https scheme.
+
+```php
+$html2pdf->getSecurityService()->resetAllowedHosts();
+```
+
+You can disable the check on the allowed hosts for http/https scheme.
+
+```php
+$html2pdf->getSecurityService()->disableCheckAllowedHosts();
+```
+
 You must ensure that the HTML you want to convert is secure, **especially if it is generated from uncontrolled data contributed by users**.
 In such cases, an attacker could send requests to both external servers and restricted-access servers (e.g., within a local network) on host that you have added to the whitelist.
 
diff --git a/src/Html2Pdf.php b/src/Html2Pdf.php
@@ -259,7 +259,7 @@ public function getVersionAsArray()
         return array(
             'major'     => 5,
             'minor'     => 3,
-            'revision'  => 2,
+            'revision'  => 3,
         );
     }
 
diff --git a/src/Security/Security.php b/src/Security/Security.php
@@ -26,6 +26,11 @@ class Security implements SecurityInterface
      */
     protected $allowedHosts = [];
 
+    /**
+     * @var bool
+     */
+    private $checkAllowedHosts = true;
+
     /**
      * @param string $path
      * @return void
@@ -38,7 +43,7 @@ public function checkValidPath(string $path): void
             throw new HtmlParsingException('Unauthorized path scheme');
         }
 
-        if (!$this->checkValidPathHost($path)) {
+        if ($this->checkAllowedHosts && !$this->checkValidPathHost($path)) {
             throw new HtmlParsingException('Unauthorized path host on ' . $path . ' => ' . implode('|', $this->allowedHosts));
         }
     }
@@ -96,4 +101,17 @@ public function addAllowedHost(string $host): void
             $this->allowedHosts[] = $host;
         }
     }
+
+    /**
+     * @return void
+     */
+    public function resetAllowedHosts(): void
+    {
+        $this->allowedHosts = [];
+    }
+
+    public function disableCheckAllowedHosts(): void
+    {
+        $this->checkAllowedHosts = false;
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -259,7 +259,7 @@ public function getVersionAsArray()`
`259`	`259`	`return array(`
`260`	`260`	`'major' => 5,`
`261`	`261`	`'minor' => 3,`
`262`		`- 'revision' => 2,`
	`262`	`+ 'revision' => 3,`
`263`	`263`	`);`
`264`	`264`	`}`
`265`	`265`