3

I'm using the pdf.js library and to prevent XSS attacks, I've set enableScripting to false. This successfully prevents JavaScript execution when it is in the PDF-specific octal format, like /JS (app\056alert\050\047hello\047\051\073).

However, it fails to prevent execution when the script is written in a more direct format, like alert('XSS Exploit!').

To clarify, this implementation is not for my personal browser or a local environment. The issue stems from a web application we have developed, which allows users to upload their own PDF files.

For technical reasons, we are leveraging pdf.js to render these user-supplied PDFs directly within our application’s interface. Our critical requirement is to ensure that the rendering process is completely secure: the library must be configured to prevent any embedded JavaScript within the PDF from executing, while still displaying the document’s static visual content (text, images, etc.).

The goal is to neutralize any potential XSS threats originating from untrusted, user-uploaded files.

Is there an option to disable the execution of JavaScript code in the file preview?

Improve this question
7
  • FYI: Please note that Generative AI (e.g., ChatGPT) is banned and read Help Center: AI policy. It is not permitted to use AI tools to generate or reword content that you post on Stack Overflow. Commented Aug 19 at 15:32
  • 2
    Have you tried isEvalSupported: false? Commented Aug 19 at 16:12
  • Thank you, this worked and it doesn't show the alert, the only problem is that the file content gets corrupted in the preview. @Oro2 Commented Aug 19 at 16:29
  • 1
    @Oro2 I think because the js code was inside FontMatrix, it didn't display its content correctly. I don't think it's a problem and the solution you provided works correctly. Commented Aug 19 at 16:53
  • 1
    You can also consider some tips from Protecting against XSS in SVG article, even if it's related to SVG, it can give you an idea on how to prevent XSS beyond pdf.js options. Commented Aug 19 at 17:06

1 Answer 1

Reset to default
1

Set isEvalSupported to false, that should stop loading of injected JavaScript.

Depending on what version of pdf.js you are running, generally this works:

options={{isEvalSupported: false}}

isEvalSupported
Determines if strings can be evaluated as JavaScript.
Primarily used to improve performance of PDF functions.
Default: true

Reference

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I have the same issue with my company's react-pdf package. I have added isEvalSupported to false to the options as per the react-pdf yet i could see the alert() which was added to the PDF as an Open Action. I'm currently on v9 and it has the patch that will forcefully set isEvalSupported to false but i dont know why i'm still seeing the alert().
[deleted]
[deleted]
Yes, alert() being executed
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.