Html2Pdf is using the default Security service to protect the external included files (CSS, images, ...).
It allows :
- HTTP/HTTPS external files
- Local Files
It does not protect again Blind SSRF. This means that the library loads external resources without validating the destination address before sending an HTTP request.
This is not the responsibility of this library.
You must ensure that the HTML you want to convert is secure, especially if it is generated from uncontrolled data contributed by users. In such cases, an attacker could send requests to both external servers and restricted-access servers (e.g., within a local network).
If you need additional security, you can implement the SecurityInterface,
and call the method setSecurityService on the Html2Pdf object to use it.