File: changelog

package info (click to toggle)
php-dompdf 2.0.3%2Bdfsg-1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 3,176 kB
  • sloc: php: 22,518; sh: 91; xml: 80; makefile: 52
file content (56 lines) | stat: -rw-r--r-- 2,215 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
 
# Dompdf 2.0.3 - Feb 7, 2023

## This release addresses the following vulnerability

- URI validation failure on SVG parsing CVE-2023-24813

# Dompdf 2.0.2 - Jan 31, 2023

## Change highlights since 2.0.1

- Improved CSS selector parsing and handling, particularly around pseudo-classes
- Addressed issues with too-eager whitespace removal
- Updated Cpdf back end to fix rendering of unclosed paths in SVG images

## This release addresses the following vulnerability

- URI validation failure on SVG parsing	CVE-2023-23924

# Dompdf 2.0.1 - Sep 22, 2022

## Change highlights since 2.0.0

- Improved font-face declaration parsing and handling. External fonts are now restricted by resource access constraints.
- Improved layout of images with percentage-based dimensions

## This release addresses the following vulnerabilities

- Remote Code Execution via font installation: CVE-2022-41343

# Dompdf 2.0.0 - Jun 23, 2022

Change highlights since 1.2.x

- Addresses multiple security vulnerabilities (see below)
- Modifies callback and page_script/page_text handling (breaking change, see below)
- Switches the HTML5 parser to Masterminds/HTML5
- Improves CSS property parsing and representation
- Improves border, outline, and background rendering for inline elements
- Switches installed fonts and font metrics cache file format to JSON
- Adds support for the inset CSS shorthand property and the legacy break-word keyword for word-break
- Adds "end_document" callback event

## This release addresses the following announced vulnerabilities

- Improper Restriction of XML External Entity Reference: CVE-2021-3902
- Deserialization of Untrusted Data: CVE-2021-3838
- External Control of File Name or Path: CVE-2022-2400
- Server-Side Request Forgery: CVE-2022-0085

## Breaking Changes

- Callback signature change: callbacks should now accept three individual arguments (Frame, Canvas, FontMetrics)
- Canvas::page_* methods are executed immediately rather than during output generation and should be called after rendering the document
- Cpdf::polygon method signature changed, no longer accepts the number of points

See the [migration guide](https://github.com/dompdf/dompdf/wiki/Migration-Guide) for details