Skip to content

Commit c07bbd6

Browse files
freekmurzeclaude
freekmurze
and
claude
committed
Fix false positives in UNC path detection for HTML with backslashes
The broad `\\` entry in `$unsafeProtocols` matched any double backslash in HTML via `str_contains`, causing false positives with TailwindCSS compiled output (e.g. `hover\:flex`). Replace with a targeted regex that only blocks `\\` followed by local addresses. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 713e6b6 commit c07bbd6

File tree

2 files changed

+16
-1
lines changed

2 files changed

+16
-1
lines changed

src/Browsershot.php

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,6 @@ class Browsershot
7676
'file:\\',
7777
'file:\\\\',
7878
'view-source',
79-
'\\\\',
8079
];
8180

8281
/** @var array<string,string> */
@@ -345,6 +344,10 @@ public function setHtml(string $html): static
345344
if (preg_match('#//\s*(localhost[/:\s]|127\.|0\.0\.0\.0[/:\s]|\[::1][/:\s]|::1[/:\s])#i', $content)) {
346345
throw HtmlIsNotAllowedToContainFile::make();
347346
}
347+
348+
if (preg_match('#\\\\\\\\\s*(localhost[/\\\\\s]|127\.|0\.0\.0\.0[/\\\\\s]|\[::1][/\\\\\s]|::1[/\\\\\s])#i', $content)) {
349+
throw HtmlIsNotAllowedToContainFile::make();
350+
}
348351
}
349352

350353
$this->html = $html;

tests/BrowsershotTest.php

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,8 @@
7979
})->throws(HtmlIsNotAllowedToContainFile::class)->with([
8080
'<iframe src="\\\\localhost/etc/passwd">',
8181
'<iframe src="\\\\127.0.0.1/etc/passwd">',
82+
'<iframe src="\\\\0.0.0.0/etc/passwd">',
83+
'<iframe src="\\\\[::1]/etc/passwd">',
8284
]);
8385

8486
it('will not allow html to contain protocol-relative urls to local addresses', function (string $html) {
@@ -97,6 +99,16 @@
9799
expect($browsershot)->toBeInstanceOf(Browsershot::class);
98100
});
99101

102+
it('will allow html containing backslashes in css', function (string $html) {
103+
$browsershot = Browsershot::html($html);
104+
105+
expect($browsershot)->toBeInstanceOf(Browsershot::class);
106+
})->with([
107+
'<style>.hover\:flex { display: flex; }</style>',
108+
'<style>.md\:grid-cols-2 { grid-template-columns: repeat(2, minmax(0, 1fr)); }</style>',
109+
'<style>.content::before { content: "\25B6"; }</style>',
110+
]);
111+
100112
it('no redirects - will not follow redirects', function () {
101113
$targetPath = __DIR__.'/temp/redirect_fail.pdf';
102114

0 commit comments

Comments
 (0)