From f791ce0ae8dd99367dbfa30588ee31e1196e1728 Mon Sep 17 00:00:00 2001
From: Freek Van der Herten <freek@spatie.be>
Date: Mon, 16 Dec 2024 10:39:41 +0100
Subject: [PATCH] do not allow view-source

---
 src/Browsershot.php       | 8 +++++++-
 tests/BrowsershotTest.php | 3 +++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/Browsershot.php b/src/Browsershot.php
index 3b88f10..4785bb4 100644
--- a/src/Browsershot.php
+++ b/src/Browsershot.php
@@ -259,7 +259,13 @@ public function setUrl(string $url): static
     {
         $url = trim($url);
 
-        $unsupportedProtocols = ['file://', 'file:/', 'file:\\', 'file:\\\\'];
+        $unsupportedProtocols = [
+            'file://',
+            'file:/',
+            'file:\\',
+            'file:\\\\',
+            'view-source',
+        ];
 
         foreach ($unsupportedProtocols as $unsupportedProtocol) {
             if (str_starts_with(strtolower($url), $unsupportedProtocol)) {
diff --git a/tests/BrowsershotTest.php b/tests/BrowsershotTest.php
index c613f0c..7f787cb 100644
--- a/tests/BrowsershotTest.php
+++ b/tests/BrowsershotTest.php
@@ -56,9 +56,12 @@
     Browsershot::url($url);
 })->throws(FileUrlNotAllowed::class)->with([
     'file://test',
+    'File://test',
     'file:/test',
     'file:\test',
     'file:\\test',
+    'view-source',
+    'View-Source'
 ]);
 
 it('will not allow a file url that has leading spaces', function () {