Aix/PHPWord
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Warn about parsing user-generated HTML

Browse Source
This commit is contained in:
pcworld 2018-04-09 02:47:16 +02:00
parent a7981717b3
commit 6253adaba1
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/PhpWord/Shared/Html.php
View File

@ -34,6 +34,8 @@ class Html
* Add HTML parts. * Add HTML parts.
* *
* Note: $stylesheet parameter is removed to avoid PHPMD error for unused parameter * Note: $stylesheet parameter is removed to avoid PHPMD error for unused parameter
* Warning: Do not pass user-generated HTML here, as that would allow an attacker to read arbitrary
* files or perform server-side request forgery by passing local file paths or URLs in <img>.
* *
* @param \PhpOffice\PhpWord\Element\AbstractContainer $element Where the parts need to be added * @param \PhpOffice\PhpWord\Element\AbstractContainer $element Where the parts need to be added
* @param string $html The code to parse * @param string $html The code to parse