Security notes update

[eoinwm-cisa]

We did some analysis regarding SSRF vulnerabilities (CVE-2025-51591, CVE-2022-35583) and came up with suggested changes for the documentation.

Related: #11261 #10682 #8874 #11200

[amanion-cisa]

CC @dw4rren.

[jgm]

It would be good to know if any of the other via-HTML pdf-engines are subject to the same problem as wkhtmltopdf. That would allow more useful guidance.

[yanntrividic]

It would be good to know if any of the other via-HTML pdf-engines are subject to the same problem as wkhtmltopdf. That would allow more useful guidance.

WeasyPrint, when correctly configured, is not subject to the SSRF vulnerability (Kozea/WeasyPrint#1288, ping @liZe).

I don't know if is the case for pagedjs-cli though, as I have not found anything on the repos about this. Maybe @fchasen or @julientaq know?

[liZe]

WeasyPrint does not support iframes at all, so it should be safe with this one.

[zmanion]

In our testing, pagedjs-cli is vulnerable similarly to wkhtmltopdf:

pandoc -o output.pdf input.html -f html+raw_html --pdf-engine pagedjs-cli
pandoc -o output.pdf input.md --pdf-engine pagedjs-cli

prince is not vulnerable by default but can be made vulnerable using the --iframes option:

pandoc -f html+raw_html --pdf-engine prince --pdf-engine-opt=--iframes -o out.pdf input.html

Edit: CVE-2018-19858 looks like the PrinceXML analog to CVE-2022-35583 for wkhtmltopdf.

input.html and input.md contain something like:

<html><iframe src=http://internal-webserver:8000/sensitive-data.html /></html>

[jgm]

do not change this; I will change before a release

[jgm]

This is an extraneous change and shouldn't be part of this PR.

[jgm]

No reason to change the heading