Security: reuse PDF::html_to_pdf for the Wiki PDF export

AngelFQC · claude · AngelFQC · commit d7c079e87401 · 2026-06-16T08:42:47.000-05:00
Drop the dedicated static helper and render the wiki page through the
existing PDF::html_to_pdf(), whose mPDF instance is already built with
SafeMpdfHttpClient::container(). The page CSS is written first as header
CSS (html_to_pdf writes the page content in body mode, which ignores
inline &lt;style&gt; blocks) and the body is passed as a content item with
complete_style=false to keep the course header/footer/watermark out, as
the original export did. Dompdf (the second SSRF sink) stays removed.

Refs GHSA-x3j9-q879-46vr

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/public/main/inc/lib/pdf.lib.php b/public/main/inc/lib/pdf.lib.php
@@ -577,44 +577,6 @@ public static function singlePageHtmlToPdfDownload(
         exit;
     }
 
-    /**
-     * Renders a self-contained HTML document to a downloadable PDF.
-     *
-     * Reuses the SSRF-guarded mPDF instance built by the constructor and writes
-     * the given, already-styled HTML as-is, without format_pdf()'s course
-     * header/footer/watermark decoration. Intended for callers that build their
-     * own complete HTML document (e.g. the wiki page export).
-     *
-     * @param string $html     Complete HTML document to render
-     * @param string $fileName Output file name (without extension)
-     * @param string $title    Optional PDF metadata title
-     * @param int    $margin   Page margin in mm applied to the four sides
-     *
-     * @throws MpdfException
-     */
-    public static function htmlToPdfDownload(
-        string $html,
-        string $fileName,
-        string $title = '',
-        int $margin = 15
-    ): void {
-        $pdf = new self('A4', 'P', [
-            'left'   => $margin,
-            'right'  => $margin,
-            'top'    => $margin,
-            'bottom' => $margin,
-        ]);
-
-        if ('' !== $title) {
-            $pdf->pdf->SetTitle($title);
-        }
-
-        @$pdf->pdf->WriteHTML($html);
-
-        $pdf->pdf->Output(api_replace_dangerous_char($fileName).'.pdf', Destination::DOWNLOAD);
-        exit;
-    }
-
     /**
      * Gets the watermark from the platform or a course.
      *
diff --git a/public/main/wiki/wiki.inc.php b/public/main/wiki/wiki.inc.php
@@ -5381,28 +5381,46 @@ private function renderPdfFromHtmlDirect(string $title, string $content, string
         $safeTitle = trim($title) !== '' ? $title : 'wiki_page';
         $fileName = preg_replace('/\s+/', '_', (string) api_replace_dangerous_char($safeTitle));
 
-        // Wrap content (keep structure simple for HTML→PDF engines)
-        $html = '<!DOCTYPE html><html lang="'.htmlspecialchars(api_get_language_isocode()).'"><head>'
-            .'<meta charset="'.htmlspecialchars(api_get_system_encoding()).'">'
-            .'<title>'.htmlspecialchars($safeTitle).'</title>'
-            .'<style>'.$css.'</style>'
-            .'</head><body>'
-            .'<div class="wiki-title"><h1>'.htmlspecialchars($safeTitle).'</h1></div>'
-            .'<div class="wiki-content">'.$content.'</div>'
-            .'</body></html>';
+        $body = '<div class="wiki-title"><h1>'.htmlspecialchars($safeTitle).'</h1></div>'
+            .'<div class="wiki-content">'.$content.'</div>';
 
-        // Render through the shared PDF class, whose mPDF instance routes remote
-        // asset fetches through the SSRF-guarded HTTP client. This replaces the
+        // Render through the shared PDF class: its mPDF instance routes remote
+        // asset fetches through the SSRF-guarded HTTP client, replacing the
         // former direct mPDF/Dompdf instantiation (Dompdf's isRemoteEnabled was
-        // the second SSRF sink).
+        // the second SSRF sink). complete_style=false keeps the course
+        // header/footer/watermark out of the wiki export, as before.
         try {
-            PDF::htmlToPdfDownload($html, $fileName, $safeTitle, 12);
+            $pdf = new PDF('A4', 'P', [
+                'left'   => 12,
+                'right'  => 12,
+                'top'    => 12,
+                'bottom' => 12,
+            ]);
+            // Write the CSS as header CSS: html_to_pdf renders the page content
+            // in body mode (HTML_BODY), which ignores inline <style> blocks.
+            $pdf->pdf->WriteHTML($css, \Mpdf\HTMLParserMode::HEADER_CSS);
+            $pdf->html_to_pdf(
+                [['title' => $safeTitle, 'content' => $body]],
+                $fileName,
+                $courseCode,
+                false,
+                false,
+                false
+            );
         } catch (\Throwable $e) {
             // Continue to final fallback
         }
 
         // --- Final fallback: deliver HTML as download (not PDF) ---
         $downloadName = $fileName.'.pdf';
+        $html = '<!DOCTYPE html><html lang="'.htmlspecialchars(api_get_language_isocode()).'"><head>'
+            .'<meta charset="'.htmlspecialchars(api_get_system_encoding()).'">'
+            .'<title>'.htmlspecialchars($safeTitle).'</title>'
+            .'<style>'.$css.'</style>'
+            .'</head><body>'
+            .'<div class="wiki-title"><h1>'.htmlspecialchars($safeTitle).'</h1></div>'
+            .'<div class="wiki-content">'.$content.'</div>'
+            .'</body></html>';
         // Clean buffers to avoid header issues
         if (function_exists('ob_get_level')) {
             while (ob_get_level() > 0) { @ob_end_clean(); }
