disable scripting in pdfviewer

Signed-off-by: Simon L <[email protected]>
nextcloud · Jan 18, 2024 · d1851f7 · d1851f7
1 parent 1b567e8
commit d1851f7
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -4,6 +4,16 @@ files_pdfviewer
 This application integrates the [PDF.js](https://mozilla.github.io/pdf.js/) library into Nextcloud's Viewer.
 You can view PDF files as well as Adobe Illustrator files (.ai)
 
+### Enable Javascript execution in PDF files
+
+To allow Javascript embedded in PDF-files to be executed inside the PDF-viewer inside your browser, enable it with:
+
+`php occ config:app:set files_pdfviewer enable_scripting --value=yes`
+
+Disable:
+
+`php occ config:app:delete files_pdfviewer enable_scripting`
+
 ## 🏗 Development setup
 
 1. ☁ Clone this app into the `apps` folder of your Nextcloud: `git clone https://github.com/nextcloud/files_pdfviewer.git`

diff --git a/src/workersrc.js b/src/workersrc.js
@@ -44,7 +44,9 @@ function initializeCustomPDFViewerApplication() {
 	PDFViewerApplicationOptions.set('isEvalSupported', false)
 	PDFViewerApplicationOptions.set('workerSrc', head.getAttribute('data-workersrc'))
 	PDFViewerApplicationOptions.set('cMapUrl', head.getAttribute('data-cmapurl'))
+	PDFViewerApplicationOptions.set('sandboxBundleSrc', head.getAttribute('data-sandbox'))
 	PDFViewerApplicationOptions.set('enablePermissions', true)
+	PDFViewerApplicationOptions.set('enableScripting', head.getAttribute('data-enableScripting') === true)
 
 	if (canDownload === '0') {
 		const pdfViewer = window.document.querySelector('.pdfViewer')

diff --git a/templates/viewer.php b/templates/viewer.php
@@ -3,6 +3,10 @@
   /** @var OCP\IURLGenerator $urlGenerator */
   $urlGenerator = $_['urlGenerator'];
   $version = \OC::$server->getAppManager()->getAppVersion('files_pdfviewer');
+  $enableScripting = false;
+  if (\OC::$server->getConfig()->getAppValue('files_pdfviewer', 'enable_scripting', 'no') === 'yes') {
+  	$enableScripting = true;
+  }
 ?>
 
 <!DOCTYPE html>
@@ -29,6 +33,8 @@
 -->
 <html dir="ltr" mozdisallowselectionprint>
   <head data-workersrc="<?php p($urlGenerator->linkTo('files_pdfviewer', 'js/pdfjs/build/pdf.worker.js')) ?>?v=<?php p($version) ?>"
+        data-enableScripting="<?php p($enableScripting ? true : false) ?>"
+        data-sandbox="<?php p($urlGenerator->linkTo('files_pdfviewer', 'js/pdfjs/build/pdf.sandbox.js'))?>"
         data-cmapurl="<?php p($urlGenerator->linkTo('files_pdfviewer', 'js/pdfjs/web/cmaps/')) ?>">
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">