Forum How do I...?

How to prevent SSRF with user-generated content

pkjackson
Hi,

Can you please say if there are any options in PrinceXML to help combat SSRF?

Given that princeXML runs on a server, we need to ensure that any resources that are referenced in the HTML or CSS do not point to addresses inside the firewall.

Regards Peter
mikeday
In the case of running Prince on untrusted and unsanitised content I would suggest hosting it in a container that doesn't have unlimited access to the local network, for safety.
csant
A good place to start is the chapter on Security in the Prince documentation.
pkjackson
Thanks mike and csant.

I had not seen the security section before, but we're pretty good on all of those things.

Our content is antisamy'd already, but for some quite subtle reasons i, I think mike is right that the only safe way is to run it in a container or on a separate VM outside the network.