From 2cbc9e4abf78b8d323d82ec9c8cab4ece8e158c6 Mon Sep 17 00:00:00 2001
From: thornbill <thornbill@users.noreply.github.com>
Date: Sun, 23 Jun 2024 11:42:26 -0400
Subject: [PATCH] Backport pull request #5694 from jellyfin-web/release-10.9.z

Disable eval support in pdfjs

Original-merge: 4bb0c67340e71dd3198bb8843fccac7960e53e45

Merged-by: thornbill <thornbill@users.noreply.github.com>

Backported-by: Joshua M. Boniface <joshua@boniface.me>
---
 src/plugins/pdfPlayer/plugin.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/plugins/pdfPlayer/plugin.js b/src/plugins/pdfPlayer/plugin.js
index 6a14a4a6842..0a7d2034151 100644
--- a/src/plugins/pdfPlayer/plugin.js
+++ b/src/plugins/pdfPlayer/plugin.js
@@ -207,7 +207,12 @@ export class PdfPlayer {
             this.bindEvents();
             GlobalWorkerOptions.workerSrc = appRouter.baseUrl() + '/libraries/pdf.worker.js';
 
-            const downloadTask = getDocument(downloadHref);
+            const downloadTask = getDocument({
+                url: downloadHref,
+                // Disable for PDF.js XSS vulnerability
+                // https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq
+                isEvalSupported: false
+            });
             return downloadTask.promise.then(book => {
                 if (this.cancellationToken) return;
                 this.book = book;