Merge pull request #13 from pxlrbt/feature/fix-display-filename

Sanitize filename

Author: pxlrbt

src/Concerns/CanBeRendered.php

@@ -21,10 +21,15 @@ public function stream()
 
     public function download(?string $filename = null)
     {
+        $filename = $filename ?? $this->displayFilename();
+
+        // Remove all characters that are not the separator, letters, numbers, or whitespace
+        $sanitizedFilename = preg_replace('![^'.preg_quote('-').'\pL\pN\s]+!u', '', $filename);
+
         return response()->streamDownload(function () {
             echo $this->driver()->getData($this);
         },
-            $filename ?? $this->displayFilename(),
+            $sanitizedFilename,
             ['Content-Type' => 'application/pdf']
         );
     }

src/Pdfable.php

@@ -8,7 +8,7 @@
 use Illuminate\Contracts\View\View;
 use pxlrbt\LaravelPdfable\Layout\Page;
 
-abstract class Pdfable implements Renderable, ShouldQueue, Attachable
+abstract class Pdfable implements Attachable, Renderable, ShouldQueue
 {
     use Concerns\CanAccessPropertiesAndMethods;
     use Concerns\CanBeAttached;