wip

src/Browsershot.php

@@ -5,6 +5,7 @@
 use Spatie\Browsershot\Exceptions\CouldNotTakeBrowsershot;
 use Spatie\Browsershot\Exceptions\ElementNotFound;
 use Spatie\Browsershot\Exceptions\FileUrlNotAllowed;
+use Spatie\Browsershot\Exceptions\HtmlIsNotAllowedToContainFile;
 use Spatie\Browsershot\Exceptions\UnsuccessfulResponse;
 use Spatie\Image\Image;
 use Spatie\Image\Manipulations;
@@ -255,6 +256,10 @@ public function setProxyServer(string $proxyServer)
 
     public function setHtml(string $html)
     {
+        if (Helpers::stringContains(strtolower($html), 'file://')) {
+            throw HtmlIsNotAllowedToContainFile::make();
+        }
+
         $this->html = $html;
         $this->url = '';
 

src/Exceptions/HtmlIsNotAllowedToContainFile.php

@@ -0,0 +1,13 @@
+<?php
+
+namespace Spatie\Browsershot\Exceptions;
+
+use Exception;
+
+class HtmlIsNotAllowedToContainFile extends Exception
+{
+    public static function make()
+    {
+        return new static("The specified HTML contains `file://`. This is not allowed.");
+    }
+}

src/Helpers.php

@@ -8,6 +8,11 @@ public static function stringStartsWith($haystack, $needle): bool
     {
         $length = strlen($needle);
 
-        return substr( $haystack, 0, $length ) === $needle;
+        return substr($haystack, 0, $length) === $needle;
+    }
+
+    public static function stringContains($haystack, $needle): bool
+    {
+        return strpos($haystack, $needle) !== false;
     }
 }

tests/BrowsershotTest.php

@@ -4,6 +4,7 @@
 use Spatie\Browsershot\Exceptions\CouldNotTakeBrowsershot;
 use Spatie\Browsershot\Exceptions\ElementNotFound;
 use Spatie\Browsershot\Exceptions\FileUrlNotAllowed;
+use Spatie\Browsershot\Exceptions\HtmlIsNotAllowedToContainFile;
 use Spatie\Browsershot\Exceptions\UnsuccessfulResponse;
 use Spatie\Image\Manipulations;
 use Symfony\Component\Process\Exception\ProcessFailedException;
@@ -78,6 +79,10 @@
     expect($targetPath)->toBeFile();
 });
 
+it('will not allow html to contain file://', function () {
+    Browsershot::html('<h1><img src="file://" /></h1>');
+})->throws(HtmlIsNotAllowedToContainFile::class);
+
 it('can take a high density screenshot', function () {
     $targetPath = __DIR__.'/temp/testScreenshot.png';
 

tests/HelpersTest.php

@@ -10,3 +10,11 @@
     ['file://hey', 'file://', true],
     ['https://spatie.be', 'file://', false],
 ]);
+
+it('can determine if a string starts contains a substring', function(string $haystack, $needle, $expectedResult) {
+    expect(Helpers::stringContains($haystack, $needle))->toBe($expectedResult);
+})->with([
+    ['heyheyfile://', 'file://', true],
+    ['http://spatie.be', 'file://', false],
+    ['file://hey', 'file://', true],
+]);