Dompdf 2.0.0
This release has been superseded by version 2.0.1
Change highlights since 1.2.x
- Addresses multiple security vulnerabilities (see below)
- Modifies callback and page_script/page_text handling (breaking change, see below)
- Switches the HTML5 parser to Masterminds/HTML5
- Improves CSS property parsing and representation
- Improves border, outline, and background rendering for inline elements
- Switches installed fonts and font metrics cache file format to JSON
- Adds support for the
inset
CSS shorthand property and the legacybreak-word
keyword forword-break
- Adds "end_document" callback event
The full list of addressed issues can be found in the release milestone. View all changes since the previous release in the commit history.
This release addresses the following announced vulnerabilities:
Vulnerability | References | Type | Severity |
---|---|---|---|
Improper Restriction of XML External Entity Reference | #2564, CVE-2021-3902, huntr.dev | Information Disclosure; Remote Code Execution | Critical |
Deserialization of Untrusted Data | #2564, CVE-2021-3838, huntr.dev | Remote Code Execution | Critical |
External Control of File Name or Path | #2564, CVE-2022-2400, huntr.dev | Information Disclosure | Medium |
Server-Side Request Forgery | #2564, CVE-2022-0085, huntr.dev | SSRF | Medium |
Breaking Changes
- Callback signature change: callbacks should now accept three individual arguments (Frame, Canvas, FontMetrics)
- Canvas::page_* methods are executed immediately rather than during output generation and should be called after rendering the document
- Cpdf::polygon method signature changed, no longer accepts the number of points
- See the migration guide for details
We would like to extend our gratitude to the community members who helped make this release possible.
Requirements
Dompdf 2.0.0 requires the following:
- PHP 7.1 or greater
- MBString
- php-font-lib
- php-svg-lib
Additionally, the following are recommended for optimal use:
- GD (for image processing)
allow_url_fopen
set to true or the curl PHP extension (for retrieving stylesheets, images, etc via http)
For full requirements and recommendations see the requirements page on the wiki.
Download Instructions
The dompdf team recommends that you use Composer for easier dependency management.
If you're not yet using Composer you can download a packaged release of dompdf which includes all the files you need to use the library. Click the link labeled "dompdf_2-0-0.zip" for the packaged release. The download options labeled "Source code" are auto-generated by github and do not include all the dependencies.