From a7981717b343dd09ece3962d36ebaf15e6852c4b Mon Sep 17 00:00:00 2001
From: pcworld <0188801@gmail.com>
Date: Mon, 9 Apr 2018 02:45:50 +0200
Subject: [PATCH 1/2] addImage docs: Warn about user-generated strings

---
 docs/elements.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/elements.rst b/docs/elements.rst
index c73ffa06..f2637ac9 100644
--- a/docs/elements.rst
+++ b/docs/elements.rst
@@ -234,7 +234,7 @@ To add an image, use the ``addImage`` method to sections, headers, footers, text
 
     $section->addImage($src, [$style]);
 
-- ``$src``. String path to a local image, URL of a remote image or the image data, as a string.
+- ``$src``. String path to a local image, URL of a remote image or the image data, as a string. Warning: Do not pass user-generated strings here, as that would allow an attacker to read arbitrary files or perform server-side request forgery by passing file paths or URLs instead of image data.
 - ``$style``. See :ref:`image-style`.
 
 Examples:

From 6253adaba15a72f5310970d180e7f5b1c13a3242 Mon Sep 17 00:00:00 2001
From: pcworld <0188801@gmail.com>
Date: Mon, 9 Apr 2018 02:47:16 +0200
Subject: [PATCH 2/2] Warn about parsing user-generated HTML

---
 src/PhpWord/Shared/Html.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/PhpWord/Shared/Html.php b/src/PhpWord/Shared/Html.php
index d8a10b57..3f34968d 100644
--- a/src/PhpWord/Shared/Html.php
+++ b/src/PhpWord/Shared/Html.php
@@ -34,6 +34,8 @@ class Html
      * Add HTML parts.
      *
      * Note: $stylesheet parameter is removed to avoid PHPMD error for unused parameter
+     * Warning: Do not pass user-generated HTML here, as that would allow an attacker to read arbitrary
+     * files or perform server-side request forgery by passing local file paths or URLs in <img>.
      *
      * @param \PhpOffice\PhpWord\Element\AbstractContainer $element Where the parts need to be added
      * @param string $html The code to parse