tecnickcom
diff --git a/‎README.md‎
Lines changed: 52 additions & 0 deletions b/‎README.md‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎VERSION‎
Lines changed: 1 addition & 1 deletion b/‎VERSION‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎composer.json‎
Lines changed: 6 additions & 6 deletions b/‎composer.json‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎examples/E031_html_features.php‎
Lines changed: 13 additions & 0 deletions b/‎examples/E031_html_features.php‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎examples/E045_encryption_and_permissions.php‎
Lines changed: 96 additions & 0 deletions b/‎examples/E045_encryption_and_permissions.php‎
Lines changed: 96 additions & 0 deletions
diff --git a/‎examples/index.md‎
Lines changed: 1 addition & 0 deletions b/‎examples/index.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎resources/debian/control‎
Lines changed: 9 additions & 9 deletions b/‎resources/debian/control‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎resources/rpm/rpm.spec‎
Lines changed: 9 additions & 9 deletions b/‎resources/rpm/rpm.spec‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎src/Base.php‎
Lines changed: 1 addition & 1 deletion b/‎src/Base.php‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/ClassObjects.php‎
Lines changed: 41 additions & 3 deletions b/‎src/ClassObjects.php‎
Lines changed: 41 additions & 3 deletions
@@ -24,6 +24,7 @@ If this library saves you time, please consider [supporting its development via
 - [Installation](#installation)
 - [Font Setup](#font-setup)
 - [Quick Start](#quick-start)
+- [Remote Resources and fileOptions](#remote-resources-and-fileoptions)
 - [Digital Signatures](#digital-signatures)
 - [PDF/X Conformance](#pdfx-conformance)
 - [PDF/UA Accessibility](#pdfua-accessibility)
@@ -276,6 +277,57 @@ If the minimal example fails on first run, verify these two points first:
 
 ---
 
+## Remote Resources and `fileOptions`
+
+By default `tc-lib-pdf` **does not fetch any remote URLs**. Images, fonts, and SVG files referenced by HTTP or HTTPS are blocked unless you explicitly allow the originating hosts. Local file paths are never restricted.
+
+Remote access is controlled by the optional `$fileOptions` array passed as the last argument to the `Tcpdf` constructor (and forwarded to `initClassObjects()`).
+
+### Allowing remote hosts
+
+```php
+$pdf = new \Com\Tecnick\Pdf\Tcpdf(
+    unit: 'mm',
+    fileOptions: [
+        'allowedHosts' => ['cdn.example.com', 'assets.myapp.io'],
+    ],
+);
+```
+
+Only the listed host names are permitted. Any attempt to load a resource from an unlisted host is silently blocked. Supply an explicit allowlist rather than a wildcard to limit the attack surface when user-supplied URLs might reach this code path.
+
+### All `fileOptions` keys
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| `allowedHosts` | `string[]` | `[]` (none) | Host names the library may fetch over HTTP/HTTPS. Remote loading is disabled when this list is empty. |
+| `maxRemoteSize` | `int` | `52428800` (50 MiB) | Maximum bytes accepted for a single remote download. Requests exceeding this limit are aborted. |
+| `curlopts` | `array<int, bool\|int\|string>` | `[]` | Per-request cURL options (keyed by `CURLOPT_*` constants) merged on top of the built-in defaults. |
+| `defaultCurlOpts` | `array<int, bool\|int\|string>` | `null` | Replaces the built-in default cURL option set entirely. Omit this key to keep the safe defaults. |
+| `fixedCurlOpts` | `array<int, bool\|int\|string>` | `null` | cURL options that are always enforced and cannot be overridden by `curlopts` — useful for pinning TLS settings in locked-down environments. |
+
+### Example: pinning TLS and setting a short timeout
+
+```php
+$pdf = new \Com\Tecnick\Pdf\Tcpdf(
+    unit: 'mm',
+    fileOptions: [
+        'allowedHosts'  => ['cdn.example.com'],
+        'maxRemoteSize' => 10 * 1024 * 1024, // 10 MiB
+        'curlopts'      => [
+            CURLOPT_TIMEOUT        => 10,
+            CURLOPT_CONNECTTIMEOUT => 5,
+        ],
+        'fixedCurlOpts' => [
+            CURLOPT_SSL_VERIFYPEER => true,
+            CURLOPT_SSL_VERIFYHOST => 2,
+        ],
+    ],
+);
+```
+
+---
+
 ## Digital Signatures
 
 `tc-lib-pdf` supports detached CMS (PKCS#7) signatures with optional RFC 3161 timestamps and LTV (Long-Term Validation) material, all embedded in a single PDF revision.
 
@@ -1 +1 @@
-8.10.4
+8.11.0
@@ -23,13 +23,13 @@
     "ext-date": "*",
     "ext-pcre": "*",
     "tecnickcom/tc-lib-barcode": "^2.4",
-    "tecnickcom/tc-lib-color": "^2.4",
-    "tecnickcom/tc-lib-pdf-image": "^2.1",
-    "tecnickcom/tc-lib-pdf-font": "^2.6",
-    "tecnickcom/tc-lib-file": "^2.3",
-    "tecnickcom/tc-lib-pdf-encrypt": "^2.1",
+    "tecnickcom/tc-lib-color": "^2.5",
+    "tecnickcom/tc-lib-pdf-image": "^2.2",
+    "tecnickcom/tc-lib-pdf-font": "^2.7",
+    "tecnickcom/tc-lib-file": "^2.5",
+    "tecnickcom/tc-lib-pdf-encrypt": "^2.2",
     "tecnickcom/tc-lib-unicode-data": "^2.0",
-    "tecnickcom/tc-lib-unicode": "^2.0",
+    "tecnickcom/tc-lib-unicode": "^2.1",
     "tecnickcom/tc-lib-pdf-page": "^4.3",
     "tecnickcom/tc-lib-pdf-graph": "^2.4"
   },
 
@@ -350,6 +350,19 @@
 
 // ----------
 
+// HTML E-L
+
+$html_05L = '<p>Alfa Bravo Charlie Delta Echo Foxtrot Golf Hotel India Juliett Kilo. Lima Mike November Oscar Papa Quebec Romeo (<em>Sierra-Tango</em>) Uniform Victor Whiskey (<em>Xray-Yankee</em>). Zulu. Alfa Bravo Charlie Delta Echo Foxtrot Golf Hotel India Juliett Kilo. Lima Mike November Oscar Papa Quebec Romeo (<em>Sierra-Tango</em>) Uniform Victor Whiskey (<em>Xray-Yankee</em>). Zulu. Alfa Bravo Charlie Delta Echo Foxtrot Golf Hotel India Juliett Kilo. Lima Mike November Oscar Papa Quebec Romeo (<em>Sierra-Tango</em>) Uniform Victor Whiskey (<em>Xray-Yankee</em>). Zulu.</p>';
+
+$pdf->addHTMLCell(
+    $html_05L,
+    20,
+    100,
+    180,
+);
+
+// ----------
+
 // HTML E-B
 
 $pageV05B = $pdf->addPage();
 
@@ -0,0 +1,96 @@
+<?php
+/**
+ * E045_encryption_and_permissions.php
+ *
+ * @since       2026-04-27
+ * @category    Library
+ * @package     Pdf
+ * @author      Nicola Asuni <info@tecnick.com>
+ * @copyright   2002-2026 Nicola Asuni - Tecnick.com LTD
+ * @license     https://www.gnu.org/copyleft/lesser.html GNU-LGPL v3 (see LICENSE.TXT)
+ * @link        https://github.com/tecnickcom/tc-lib-pdf
+ *
+ * This file is part of tc-lib-pdf software library.
+ */
+
+// NOTE: run make deps fonts in the project root to generate the dependencies and example fonts.
+
+// autoloader when using Composer
+require(__DIR__ . '/../vendor/autoload.php');
+
+// define fonts directory
+\define('K_PATH_FONTS', \realpath(__DIR__ . '/../vendor/tecnickcom/tc-lib-pdf-font/target/fonts'));
+
+// autoloader when using RPM or DEB package installation
+//require ('/usr/share/php/Com/Tecnick/Pdf/autoload.php');
+
+$fileId = \md5('E045_encryption_and_permissions');
+$encrypt = new \Com\Tecnick\Pdf\Encrypt\Encrypt(
+    true,
+    $fileId,
+    2,
+    ['modify', 'copy', 'annot-forms', 'assemble'],
+    'demo-user',
+    'demo-owner'
+);
+
+// main TCPDF object
+$pdf = new \Com\Tecnick\Pdf\Tcpdf(
+    'mm', // string $unit = 'mm',
+    true, // bool $isunicode = true,
+    false, // bool $subsetfont = false,
+    true, // bool $compress = true,
+    '', // string $mode = '',
+    $encrypt, // ?ObjEncrypt $objEncrypt = null,
+);
+
+// ----------
+
+
+$pdf->setCreator('tc-lib-pdf');
+$pdf->setAuthor('Nicola Asuni');
+$pdf->setSubject('tc-lib-pdf example: 045');
+$pdf->setTitle('HTML Features Example');
+$pdf->setKeywords('TCPDF tc-lib-pdf example Encryption and Permissions');
+$pdf->setPDFFilename('E045_encryption_and_permissions.pdf');
+
+$pdf->setViewerPreferences(['DisplayDocTitle' => true]);
+
+$pdf->enableDefaultPageContent();
+
+// ----------
+// Insert fonts
+
+$bfont = $pdf->font->insert($pdf->pon, 'helvetica', '', 10);
+
+$page01 = $pdf->addPage();
+$pdf->page->addContent($bfont['out']);
+
+$html =  <<<HTML
+<h1>Encryption and Permissions</h1>
+<p>This document demonstrates PDF encryption and permission controls using tc-lib-pdf.
+The file is protected with a user password (<em>demo-user</em>) and an owner password (<em>demo-owner</em>).
+Encryption restricts unauthorized access while the owner password grants full control.
+The allowed permissions for this document are: <strong>modify</strong>, <strong>copy</strong>,
+<strong>annot-forms</strong>, and <strong>assemble</strong>.
+All other operations, such as printing, are denied.</p>
+HTML;
+
+$pdf->addHTMLCell(
+    $html,
+    20,
+    10,
+    180, 
+);
+
+// ----------
+
+// get PDF document as raw string
+$rawpdf = $pdf->getOutPDFString();
+
+// Various output modes:
+
+//$pdf->savePDF(\dirname(__DIR__).'/target', $rawpdf);
+$pdf->renderPDF($rawpdf);
+//$pdf->downloadPDF($rawpdf);
+//echo $pdf->getMIMEAttachmentPDF($rawpdf);
@@ -47,3 +47,4 @@ This index lists all runnable examples bundled with tc-lib-pdf, from foundationa
 - [E042_html_form.php](E042_html_form.php): XHTML form-to-PDF mapping example for inputs, selects, textarea, and actions.
 - [E043_html_tables.php](E043_html_tables.php): HTML table layout showcase including colspan/rowspan, nested tables, and CSS styling.
 - [E044_toc_index.php](E044_toc_index.php): Bookmark outline example with generated table of contents via addTOC.
+- [E045_encryption_and_permissions.php](E045_encryption_and_permissions.php): PDF encryption and permission controls with user and owner passwords.
@@ -14,23 +14,23 @@ Provides: php-~#PROJECT#~
 Architecture: all
 Depends: php (>= 8.1.0), php-date,
  php-tecnickcom-tc-lib-barcode (<< 3.0.0),
- php-tecnickcom-tc-lib-barcode (>= 2.4.36),
+ php-tecnickcom-tc-lib-barcode (>= 2.4.37),
  php-tecnickcom-tc-lib-color (<< 3.0.0),
- php-tecnickcom-tc-lib-color (>= 2.4.1),
+ php-tecnickcom-tc-lib-color (>= 2.5.0),
  php-tecnickcom-tc-lib-file (<< 3.0.0),
- php-tecnickcom-tc-lib-file (>= 2.3.9),
+ php-tecnickcom-tc-lib-file (>= 2.5.0),
  php-tecnickcom-tc-lib-pdf-encrypt (<< 3.0.0),
- php-tecnickcom-tc-lib-pdf-encrypt (>= 2.1.43),
+ php-tecnickcom-tc-lib-pdf-encrypt (>= 2.2.0),
  php-tecnickcom-tc-lib-pdf-font (<< 3.0.0),
- php-tecnickcom-tc-lib-pdf-font (>= 2.6.41),
+ php-tecnickcom-tc-lib-pdf-font (>= 2.7.0),
  php-tecnickcom-tc-lib-pdf-graph (<< 3.0.0),
- php-tecnickcom-tc-lib-pdf-graph (>= 2.4.20),
+ php-tecnickcom-tc-lib-pdf-graph (>= 2.4.21),
  php-tecnickcom-tc-lib-pdf-image (<< 3.0.0),
- php-tecnickcom-tc-lib-pdf-image (>= 2.1.41),
+ php-tecnickcom-tc-lib-pdf-image (>= 2.2.0),
  php-tecnickcom-tc-lib-pdf-page (<< 5.0.0),
- php-tecnickcom-tc-lib-pdf-page (>= 4.3.20),
+ php-tecnickcom-tc-lib-pdf-page (>= 4.3.21),
  php-tecnickcom-tc-lib-unicode (<< 3.0.0),
- php-tecnickcom-tc-lib-unicode (>= 2.0.52),
+ php-tecnickcom-tc-lib-unicode (>= 2.1.0),
  php-tecnickcom-tc-lib-unicode-data (<< 3.0.0),
  php-tecnickcom-tc-lib-unicode-data (>= 2.0.51),
  ${misc:Depends}
 
@@ -18,25 +18,25 @@ Requires:  php(language) >= 8.1.0
 Requires:  php-date
 Requires:  php-pcre
 Requires:  php-composer(%{c_vendor}/tc-lib-barcode) < 3.0.0
-Requires:  php-composer(%{c_vendor}/tc-lib-barcode) >= 2.4.36
+Requires:  php-composer(%{c_vendor}/tc-lib-barcode) >= 2.4.37
 Requires:  php-composer(%{c_vendor}/tc-lib-color) < 3.0.0
-Requires:  php-composer(%{c_vendor}/tc-lib-color) >= 2.4.1
+Requires:  php-composer(%{c_vendor}/tc-lib-color) >= 2.5.0
 Requires:  php-composer(%{c_vendor}/tc-lib-pdf-image) < 3.0.0
-Requires:  php-composer(%{c_vendor}/tc-lib-pdf-image) >= 2.1.41
+Requires:  php-composer(%{c_vendor}/tc-lib-pdf-image) >= 2.2.0
 Requires:  php-composer(%{c_vendor}/tc-lib-pdf-font) < 3.0.0
-Requires:  php-composer(%{c_vendor}/tc-lib-pdf-font) >= 2.6.41
+Requires:  php-composer(%{c_vendor}/tc-lib-pdf-font) >= 2.7.0
 Requires:  php-composer(%{c_vendor}/tc-lib-file) < 3.0.0
-Requires:  php-composer(%{c_vendor}/tc-lib-file) >= 2.3.9
+Requires:  php-composer(%{c_vendor}/tc-lib-file) >= 2.5.0
 Requires:  php-composer(%{c_vendor}/tc-lib-pdf-encrypt) < 3.0.0
-Requires:  php-composer(%{c_vendor}/tc-lib-pdf-encrypt) >= 2.1.43
+Requires:  php-composer(%{c_vendor}/tc-lib-pdf-encrypt) >= 2.2.0
 Requires:  php-composer(%{c_vendor}/tc-lib-unicode-data) < 3.0.0
 Requires:  php-composer(%{c_vendor}/tc-lib-unicode-data) >= 2.0.51
 Requires:  php-composer(%{c_vendor}/tc-lib-unicode) < 3.0.0
-Requires:  php-composer(%{c_vendor}/tc-lib-unicode) >= 2.0.52
+Requires:  php-composer(%{c_vendor}/tc-lib-unicode) >= 2.1.0
 Requires:  php-composer(%{c_vendor}/tc-lib-pdf-page) < 5.0.0
-Requires:  php-composer(%{c_vendor}/tc-lib-pdf-page) >= 4.3.20
+Requires:  php-composer(%{c_vendor}/tc-lib-pdf-page) >= 4.3.21
 Requires:  php-composer(%{c_vendor}/tc-lib-pdf-graph) < 3.0.0
-Requires:  php-composer(%{c_vendor}/tc-lib-pdf-graph) >= 2.4.20
+Requires:  php-composer(%{c_vendor}/tc-lib-pdf-graph) >= 2.4.21
 
 Provides:  php-composer(%{c_vendor}/%{gh_project}) = %{version}
 Provides:  php-%{gh_project} = %{version}
 
@@ -189,7 +189,7 @@ abstract class Base
     /**
      * TCPDF version.
      */
-    protected string $version = '8.10.4';
+    protected string $version = '8.11.0';
 
     /**
      * Time is seconds since EPOCH when the document was created.
 
@@ -41,17 +41,47 @@
  * @license   https://www.gnu.org/copyleft/lesser.html GNU-LGPL v3 (see LICENSE.TXT)
  * @link      https://github.com/tecnickcom/tc-lib-pdf
  *
+ * @phpstan-type TFileOptions array{
+ *   allowedHosts?: array<string>,
+ *   maxRemoteSize?: int,
+ *   curlopts?: array<int, bool|int|string>,
+ *   defaultCurlOpts?: array<int, bool|int|string>,
+ *   fixedCurlOpts?: array<int, bool|int|string>
+ * }
+ *
  * @SuppressWarnings("PHPMD.DepthOfInheritance")
  */
 abstract class ClassObjects extends \Com\Tecnick\Pdf\Output
 {
    /**
     * Initialize dependencies class objects.
     *
-    * @param ?ObjEncrypt $objEncrypt Encryption object.
+    * @param ?ObjEncrypt $objEncrypt  Encryption object.
+    * @param TFileOptions|null $fileOptions Optional configuration for the shared file helper used
+    *                                       to load external resources (images, fonts, SVG, etc.).
+    *                                       Supported keys:
+    *                                       - allowedHosts (string[]): Whitelist of host names that
+    *                                         the library is allowed to fetch over HTTP/HTTPS. For
+    *                                         security reasons remote URL loading is DISABLED by
+    *                                         default; you MUST populate this list (for example
+    *                                         ['example.com', 'cdn.example.com']) to enable any
+    *                                         remote download. Local file paths are not affected.
+    *                                       - maxRemoteSize (int): Maximum size in bytes accepted
+    *                                         for a remote download (default 52428800 = 50 MiB).
+    *                                       - curlopts (array<int,bool|int|string>): Per-request
+    *                                         cURL options merged on top of the defaults (keys are
+    *                                         CURLOPT_* constants).
+    *                                       - defaultCurlOpts (array<int,bool|int|string>):
+    *                                         Replaces the built-in default cURL options. Use with
+    *                                         care; omit to keep the safe defaults.
+    *                                       - fixedCurlOpts (array<int,bool|int|string>): cURL
+    *                                         options that are always enforced and cannot be
+    *                                         overridden by curlopts (for example to pin TLS
+    *                                         settings).
     */
     public function initClassObjects(
-        ?ObjEncrypt $objEncrypt = null
+        ?ObjEncrypt $objEncrypt = null,
+        ?array $fileOptions = null
     ): void {
         if ($objEncrypt instanceof ObjEncrypt) {
             $this->encrypt = $objEncrypt;
@@ -62,7 +92,13 @@ public function initClassObjects(
         $this->color = new ObjPdfColor();
         $this->color->setForceDeviceCmyk($this->requiresPdfxDeviceCmyk());
         $this->barcode = new ObjBarcode();
-        $this->file = new ObjFile();
+        $this->file = new ObjFile(
+            $fileOptions['allowedHosts'] ?? [],
+            $fileOptions['maxRemoteSize'] ?? 52428800,
+            $fileOptions['curlopts'] ?? [],
+            $fileOptions['defaultCurlOpts'] ?? null,
+            $fileOptions['fixedCurlOpts'] ?? null,
+        );
         $this->cache = new ObjCache();
         $this->uniconv = new ObjUniConvert();
 
@@ -95,13 +131,15 @@ public function initClassObjects(
             $this->subsetfont,
             $this->isunicode,
             $pdfamode,
+            $fileOptions,
         );
 
         $this->image = new ObjImage(
             $this->kunit,
             $this->encrypt,
             $pdfamode,
             $this->compress,
+            $fileOptions,
         );
     }
 }