TCPDF is a widely-used PHP library for generating PDF documents.
The library includes an Error function designed to handle and display error messages when issues arise during PDF generation.
However, in versions prior to 6.8.0 this function does not adequately sanitize error messages before rendering them.
In any function where an attacker can input data that could cause an error, it becomes a potential source of an XSS vulnerability.
For example, suppose that an attacker is able to choose the font of their PDF.
If the attacker inserts something like <script>alert(1)</script> as the font, the setFont function will throw an error (since the font does not exist) and will consequently call the Error function, which will insecurely display the error containing the name of the non-existent font.
Example of a vulnerable code:
<?php
require_once('tcpdf.php');
$font = $_GET['font'];
$pdf = new TCPDF();
$pdf->SetFont($font, '', 12);
$pdf->Output('output.pdf', 'I');
?>
The vulnerability has been fixed in version 6.8.0 by sanitizing the data with the htmlspecialchars() function.
