Merge pull request #1338 from pcworld/image-security-doc

troosan · web-flow · commit 57ededeabf70 · 2018-04-13T22:36:18.000+02:00
Improve security-related documentation of addImage and addHtml
diff --git a/docs/elements.rst b/docs/elements.rst
@@ -242,7 +242,7 @@ To add an image, use the ``addImage`` method to sections, headers, footers, text
 
     $section->addImage($src, [$style]);
 
-- ``$src``. String path to a local image, URL of a remote image or the image data, as a string.
+- ``$src``. String path to a local image, URL of a remote image or the image data, as a string. Warning: Do not pass user-generated strings here, as that would allow an attacker to read arbitrary files or perform server-side request forgery by passing file paths or URLs instead of image data.
 - ``$style``. See :ref:`image-style`.
 
 Examples:
diff --git a/src/PhpWord/Shared/Html.php b/src/PhpWord/Shared/Html.php
@@ -37,6 +37,8 @@ class Html
      * Add HTML parts.
      *
      * Note: $stylesheet parameter is removed to avoid PHPMD error for unused parameter
+     * Warning: Do not pass user-generated HTML here, as that would allow an attacker to read arbitrary
+     * files or perform server-side request forgery by passing local file paths or URLs in <img>.
      *
      * @param \PhpOffice\PhpWord\Element\AbstractContainer $element Where the parts need to be added
      * @param string $html The code to parse

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,8 @@ class Html`
`37`	`37`	`* Add HTML parts.`
`38`	`38`	`*`
`39`	`39`	`* Note: $stylesheet parameter is removed to avoid PHPMD error for unused parameter`
	`40`	`+ * Warning: Do not pass user-generated HTML here, as that would allow an attacker to read arbitrary`
	`41`	`+ * files or perform server-side request forgery by passing local file paths or URLs in <img>.`
`40`	`42`	`*`
`41`	`43`	`* @param \PhpOffice\PhpWord\Element\AbstractContainer $element Where the parts need to be added`
`42`	`44`	`* @param string $html The code to parse`