Warn about parsing user-generated HTML

pcworld · pcworld · commit 6253adaba15a · 2018-04-09T02:48:49.000+02:00
diff --git a/src/PhpWord/Shared/Html.php b/src/PhpWord/Shared/Html.php
@@ -34,6 +34,8 @@ class Html
      * Add HTML parts.
      *
      * Note: $stylesheet parameter is removed to avoid PHPMD error for unused parameter
+     * Warning: Do not pass user-generated HTML here, as that would allow an attacker to read arbitrary
+     * files or perform server-side request forgery by passing local file paths or URLs in <img>.
      *
      * @param \PhpOffice\PhpWord\Element\AbstractContainer $element Where the parts need to be added
      * @param string $html The code to parse

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,8 @@ class Html`
`34`	`34`	`* Add HTML parts.`
`35`	`35`	`*`
`36`	`36`	`* Note: $stylesheet parameter is removed to avoid PHPMD error for unused parameter`
	`37`	`+ * Warning: Do not pass user-generated HTML here, as that would allow an attacker to read arbitrary`
	`38`	`+ * files or perform server-side request forgery by passing local file paths or URLs in <img>.`
`37`	`39`	`*`
`38`	`40`	`* @param \PhpOffice\PhpWord\Element\AbstractContainer $element Where the parts need to be added`
`39`	`41`	`* @param string $html The code to parse`