I'm using the pdf.js library and to prevent XSS attacks, I've set enableScripting to false. This successfully prevents JavaScript execution when it is in the PDF-specific octal format, like /JS (app\056alert\050\047hello\047\051\073).
However, it fails to prevent execution when the script is written in a more direct format, like alert('XSS Exploit!').
To clarify, this implementation is not for my personal browser or a local environment. The issue stems from a web application we have developed, which allows users to upload their own PDF files.
For technical reasons, we are leveraging pdf.js to render these user-supplied PDFs directly within our application’s interface. Our critical requirement is to ensure that the rendering process is completely secure: the library must be configured to prevent any embedded JavaScript within the PDF from executing, while still displaying the document’s static visual content (text, images, etc.).
The goal is to neutralize any potential XSS threats originating from untrusted, user-uploaded files.
Is there an option to disable the execution of JavaScript code in the file preview?
Set isEvalSupported to false, that should stop loading of injected javascript.
Depending on what version you are running of pdf.js, but generally options={{isEvalSupported: false}} works.
isEvalSupported: Determines if we can evaluate strings as JavaScript. Primarily used to improve performance of PDF functions. The default value is
true.