Update resource validation logic

The previous logic did not validate the font-family when set by attribute. To accommodate style validation across all sources the Style class now accepts the Document during construction so that it has access to the allowExternalReferences property regardless of style source.
dompdf · Feb 7, 2024 · 8ffcc41
1 parent 8a8a1eb
commit 8ffcc41
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 14 deletions.
diff --git a/src/Svg/Document.php b/src/Svg/Document.php
@@ -202,7 +202,7 @@ protected function before($attributes)
     {
         $surface = $this->getSurface();
 
-        $style = new DefaultStyle();
+        $style = new DefaultStyle($this);
         $style->inherit($this);
         $style->fromAttributes($attributes);
 

diff --git a/src/Svg/Style.php b/src/Svg/Style.php
@@ -18,6 +18,7 @@ class Style
     const TYPE_ANGLE = 4;
     const TYPE_NUMBER = 5;
 
+    private $_document;
     private $_parentStyle;
 
     public $color;
@@ -43,6 +44,12 @@ class Style
     public $fontStyle = 'normal';
     public $textAnchor = 'start';
 
+    public function __construct($document = null) {
+        if ($document !== null) {
+            $this->_document = $document;
+        }
+    }
+
     protected function getStyleMap()
     {
         return array(
@@ -139,16 +146,6 @@ public function fromStyleSheets(AbstractTag $tag, $attributes) {
                         break;
                     }
                 }
-
-                if (
-                    \array_key_exists("font-family", $styles)
-                    && (
-                        \strtolower(\substr($this->href, 0, 7)) === "phar://"
-                        || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5)) !== "data:")
-                    )
-                ) {
-                    unset($style["font-family"]);
-                }
             }
         }
 
@@ -185,6 +182,16 @@ protected function fillStyles($styles)
                         $value = $styles[$from];
                 }
 
+                if ($from === "font-family") {
+                    $scheme = \strtolower(parse_url($value, PHP_URL_SCHEME) ?: "");
+                    if (
+                        $scheme === "phar" || \strtolower(\substr($value, 0, 7)) === "phar://"
+                        || ($this->_document !== null && $this->_document->allowExternalReferences === false && $scheme !== "data")
+                    ) {
+                        continue;
+                    }
+                }
+
                 if ($value !== null) {
                     $this->$to = $value;
                 }

diff --git a/src/Svg/Tag/AbstractTag.php b/src/Svg/Tag/AbstractTag.php
@@ -119,7 +119,7 @@ public function getStyle()
      * @return Style
      */
     protected function makeStyle($attributes) {
-        $style = new Style();
+        $style = new Style($this->document);
         $style->inherit($this);
         $style->fromStyleSheets($this, $attributes);
         $style->fromAttributes($attributes);

diff --git a/src/Svg/Tag/Image.php b/src/Svg/Tag/Image.php
@@ -58,8 +58,14 @@ public function start($attributes)
 
         $this->document->getSurface()->transform(1, 0, 0, -1, 0, $height);
 
-        if (\strtolower(\substr($this->href, 0, 7)) === "phar://" || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5) !== "data:"))) {
-            return;
+        if ($from === "font-family") {
+            $scheme = \strtolower(parse_url($this->href, PHP_URL_SCHEME) ?: "");
+            if (
+                $scheme === "phar" || \strtolower(\substr($this->href, 0, 7)) === "phar://"
+                || ($this->document->allowExternalReferences === false && $scheme !== "data")