Describe the problem

The docs says that user input should not be passed to the Html::addHtml function so as to not allow for server-side request forgery and so on.
From reading the code it seems like there are two entry points for an attacker :

• if the attacker puts a malicious URL in src, it will be called on line 1023 : if ($imgBlob = @file_get_contents($src)) {
• if the attacker puts the path of an arbirtary file in src, it will be read when trying to generate the output document.

Describe the expected behavior

If that's indeed the only places where an attack can occur, it should be possible to add options for either :

• ignoring img tags all together
• only allowing images from a specific directory
• only allow images with inline base64 encoded data

I think this would allow for safely passing user-generated input to the Html::addHtml function.

I can work on a PR if you agree with my proposal.

Priority

• I want to crowdfund the feature (with @algora-io) and fund a community developer.
• I want to pay the feature and fund a maintainer for that. (Contact @Progi1984)