diff --git a/.github/workflows/run-static-analysis.yml b/.github/workflows/run-static-analysis.yml
index bd25c7b..b2f6796 100644
--- a/.github/workflows/run-static-analysis.yml
+++ b/.github/workflows/run-static-analysis.yml
@@ -23,7 +23,7 @@ jobs:
fail-fast: false
matrix:
php: [8.1, 8.2, 8.3]
- laravel: [10.*, 11.*]
+ laravel: [9.*, 10.*, 11.*]
dependency-version: [prefer-stable]
exclude:
- laravel: 11.*
diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
index f048c61..f9818bb 100644
--- a/.github/workflows/run-tests.yml
+++ b/.github/workflows/run-tests.yml
@@ -22,53 +22,12 @@ jobs:
strategy:
fail-fast: false
matrix:
- php: [7.2, 7.3, 7.4, 8.0, 8.2]
- laravel: ['6.*', '7.*', '8.*', '11.*']
+ php: [8.1, 8.2, 8.3]
+ laravel: ['9.*', '10.*', '11.*']
dependency-version: [prefer-lowest, prefer-stable]
- include:
- - laravel: 11.*
- php: 8.3
- dependency-version: prefer-stable
- - laravel: 11.*
- php: 8.2
- dependency-version: prefer-stable
- - laravel: 10.*
- php: 8.3
- dependency-version: prefer-stable
- - laravel: 10.*
- php: 8.2
- dependency-version: prefer-stable
- - laravel: 10.*
- php: 8.1
- dependency-version: prefer-stable
- - laravel: 9.*
- php: 8.2
- dependency-version: prefer-stable
- - laravel: 9.*
- php: 8.1
- dependency-version: prefer-stable
- - laravel: 9.*
- php: 8.0
- dependency-version: prefer-stable
exclude:
- - laravel: 8.*
- php: 7.2
- - laravel: 6.*
- php: 8.2
- - laravel: 7.*
- php: 8.2
- - laravel: 8.*
- php: 8.2
- - php: 8.0
- dependency-version: prefer-lowest
- laravel: 11.*
- php: 7.2
- - laravel: 11.*
- php: 7.3
- - laravel: 11.*
- php: 7.4
- - laravel: 11.*
- php: 8.0
+ php: 8.1
name: P${{ matrix.php }} - L${{ matrix.laravel }} - ${{ matrix.dependency-version }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
index df796b1..c651e32 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,13 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+[3.0.0]
+Version 3.x supports DomPDF version 3.x. See the changelog in https://github.com/dompdf/dompdf/releases/tag/v3.0.0
+
+The most notable change in laravel-dompdf are the changed defaults, to be more secure;
+ - `enable_remote` is now `false` by default. Change with caution.
+ - `allowedRemoteHosts` and `artifactPathValidation` are added the the config.
+Also, support for Laravel < 9 and PHP < 8.1 is dropped.
[2.2.0]
## What's Changed
diff --git a/composer.json b/composer.json
index 797e657..5422d18 100644
--- a/composer.json
+++ b/composer.json
@@ -14,15 +14,15 @@
}
],
"require": {
- "php": "^7.2 || ^8.0",
- "dompdf/dompdf": "^2.0.7 || ^3.0",
- "illuminate/support": "^6|^7|^8|^9|^10|^11"
+ "php": "^8.1",
+ "dompdf/dompdf": "^3.0",
+ "illuminate/support": "^9|^10|^11"
},
"require-dev": {
- "orchestra/testbench": "^4|^5|^6|^7|^8|^9",
+ "orchestra/testbench": "^7|^8|^9",
"squizlabs/php_codesniffer": "^3.5",
- "phpro/grumphp": "^1 || ^2.5",
- "larastan/larastan": "^1.0|^2.7.0"
+ "phpro/grumphp": "^2.5",
+ "larastan/larastan": "^2.7.0"
},
"autoload": {
"psr-4": {
@@ -36,7 +36,7 @@
},
"extra": {
"branch-alias": {
- "dev-master": "2.2-dev"
+ "dev-master": "3.0-dev"
},
"laravel": {
"providers": [
diff --git a/config/dompdf.php b/config/dompdf.php
index 5278b7d..5a6df19 100644
--- a/config/dompdf.php
+++ b/config/dompdf.php
@@ -141,20 +141,6 @@
*/
"pdf_backend" => "CPDF",
- /**
- * PDFlib license key
- *
- * If you are using a licensed, commercial version of PDFlib, specify
- * your license key here. If you are using PDFlib-Lite or are evaluating
- * the commercial version of PDFlib, comment out this setting.
- *
- * @link http://www.pdflib.com
- *
- * If pdflib present in web server and auto or selected explicitely above,
- * a real license code must exist!
- */
- //"DOMPDF_PDFLIB_LICENSE" => "your license key here",
-
/**
* html target media view which should be rendered into pdf.
* List of types and parsing rules for future extensions:
@@ -229,24 +215,31 @@
"dpi" => 96,
/**
- * Enable inline PHP
+ * Enable embedded PHP
*
- * If this setting is set to true then DOMPDF will automatically evaluate
- * inline PHP contained within tags.
+ * If this setting is set to true then DOMPDF will automatically evaluate embedded PHP contained
+ * within tags.
*
- * Enabling this for documents you do not trust (e.g. arbitrary remote html
- * pages) is a security risk. Set this option to false if you wish to process
- * untrusted documents.
+ * ==== IMPORTANT ==== Enabling this for documents you do not trust (e.g. arbitrary remote html pages)
+ * is a security risk.
+ * Embedded scripts are run with the same level of system access available to dompdf.
+ * Set this option to false (recommended) if you wish to process untrusted documents.
+ * This setting may increase the risk of system exploit.
+ * Do not change this settings without understanding the consequences.
+ * Additional documentation is available on the dompdf wiki at:
+ * https://github.com/dompdf/dompdf/wiki
*
* @var bool
*/
"enable_php" => false,
/**
- * Enable inline Javascript
+ * Rnable inline JavaScript
*
- * If this setting is set to true then DOMPDF will automatically insert
- * JavaScript code contained within tags.
+ * If this setting is set to true then DOMPDF will automatically insert JavaScript code contained
+ * within tags as written into the PDF.
+ * NOTE: This is PDF-based JavaScript to be executed by the PDF viewer,
+ * not browser-based JavaScript executed by Dompdf.
*
* @var bool
*/
@@ -255,21 +248,24 @@
/**
* Enable remote file access
*
- * If this setting is set to true, DOMPDF will access remote sites for
- * images and CSS files as required.
- * This is required for part of test case www/test/image_variants.html through www/examples.php
+ * If this setting is set to true, DOMPDF will access remote sites for
+ * images and CSS files as required.
+ *
+ * ==== IMPORTANT ====
+ * This can be a security risk, in particular in combination with isPhpEnabled and
+ * allowing remote html code to be passed to $dompdf = new DOMPDF(); $dompdf->load_html(...);
+ * This allows anonymous users to download legally doubtful internet content which on
+ * tracing back appears to being downloaded by your server, or allows malicious php code
+ * in remote html pages to be executed by your server with your account privileges.
*
- * Attention!
- * This can be a security risk, in particular in combination with DOMPDF_ENABLE_PHP and
- * allowing remote access to dompdf.php or on allowing remote html code to be passed to
- * $dompdf = new DOMPDF(, $dompdf->load_html(...,
- * This allows anonymous users to download legally doubtful internet content which on
- * tracing back appears to being downloaded by your server, or allows malicious php code
- * in remote html pages to be executed by your server with your account privileges.
+ * This setting may increase the risk of system exploit. Do not change
+ * this settings without understanding the consequences. Additional
+ * documentation is available on the dompdf wiki at:
+ * https://github.com/dompdf/dompdf/wiki
*
* @var bool
*/
- "enable_remote" => true,
+ "enable_remote" => false,
/**
* List of allowed remote hosts
diff --git a/readme.md b/readme.md
index 89eb328..2de314d 100644
--- a/readme.md
+++ b/readme.md
@@ -91,9 +91,10 @@ Available options and their defaults:
* __dpi__: 96 _(available in config/dompdf.php)_
* __fontHeightRatio__: 1.1 _(available in config/dompdf.php)_
* __isPhpEnabled__: false _(available in config/dompdf.php)_
-* __isRemoteEnabled__: true _(available in config/dompdf.php)_
+* __isRemoteEnabled__: false _(available in config/dompdf.php)_
* __isJavascriptEnabled__: true _(available in config/dompdf.php)_
-* __isHtml5ParserEnabled__: false _(available in config/dompdf.php)_
+* __isHtml5ParserEnabled__: true _(available in config/dompdf.php)_
+* __allowedRemoteHosts__: null _(available in config/dompdf.php)_
* __isFontSubsettingEnabled__: false _(available in config/dompdf.php)_
* __debugPng__: false
* __debugKeepTemp__: false
@@ -107,6 +108,9 @@ Available options and their defaults:
* __pdflibLicense__: ""
* __adminUsername__: "user"
* __adminPassword__: "password"
+* __artifactPathValidation__: null _(available in config/dompdf.php)_
+
+#### Note: Since 3.x the remote access is disabled by default, to provide more security. Use with caution!
### Tip: UTF-8 support
In your templates, set the UTF-8 Metatag: