From d1851f71fc5becd2bb418606c6e7cae97bbef4ab Mon Sep 17 00:00:00 2001
From: Simon L <szaimen@e.mail.de>
Date: Thu, 18 Jan 2024 10:24:51 +0100
Subject: [PATCH] disable scripting in pdfviewer

Signed-off-by: Simon L <szaimen@e.mail.de>
---
 README.md            | 10 ++++++++++
 src/workersrc.js     |  2 ++
 templates/viewer.php |  6 ++++++
 3 files changed, 18 insertions(+)

diff --git a/README.md b/README.md
index c6439a0e..8f48b5e1 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,16 @@ files_pdfviewer
 This application integrates the [PDF.js](https://mozilla.github.io/pdf.js/) library into Nextcloud's Viewer.
 You can view PDF files as well as Adobe Illustrator files (.ai)
 
+### Enable Javascript execution in PDF files
+
+To allow Javascript embedded in PDF-files to be executed inside the PDF-viewer inside your browser, enable it with:
+
+`php occ config:app:set files_pdfviewer enable_scripting --value=yes`
+
+Disable:
+
+`php occ config:app:delete files_pdfviewer enable_scripting`
+
 ## 🏗 Development setup
 
 1. ☁ Clone this app into the `apps` folder of your Nextcloud: `git clone https://github.com/nextcloud/files_pdfviewer.git`
diff --git a/src/workersrc.js b/src/workersrc.js
index 5f7731c5..6805739e 100644
--- a/src/workersrc.js
+++ b/src/workersrc.js
@@ -44,7 +44,9 @@ function initializeCustomPDFViewerApplication() {
 	PDFViewerApplicationOptions.set('isEvalSupported', false)
 	PDFViewerApplicationOptions.set('workerSrc', head.getAttribute('data-workersrc'))
 	PDFViewerApplicationOptions.set('cMapUrl', head.getAttribute('data-cmapurl'))
+	PDFViewerApplicationOptions.set('sandboxBundleSrc', head.getAttribute('data-sandbox'))
 	PDFViewerApplicationOptions.set('enablePermissions', true)
+	PDFViewerApplicationOptions.set('enableScripting', head.getAttribute('data-enableScripting') === true)
 
 	if (canDownload === '0') {
 		const pdfViewer = window.document.querySelector('.pdfViewer')
diff --git a/templates/viewer.php b/templates/viewer.php
index 1b7abd1d..55bc29a6 100644
--- a/templates/viewer.php
+++ b/templates/viewer.php
@@ -3,6 +3,10 @@
   /** @var OCP\IURLGenerator $urlGenerator */
   $urlGenerator = $_['urlGenerator'];
   $version = \OC::$server->getAppManager()->getAppVersion('files_pdfviewer');
+  $enableScripting = false;
+  if (\OC::$server->getConfig()->getAppValue('files_pdfviewer', 'enable_scripting', 'no') === 'yes') {
+  	$enableScripting = true;
+  }
 ?>
 
 <!DOCTYPE html>
@@ -29,6 +33,8 @@
 -->
 <html dir="ltr" mozdisallowselectionprint>
   <head data-workersrc="<?php p($urlGenerator->linkTo('files_pdfviewer', 'js/pdfjs/build/pdf.worker.js')) ?>?v=<?php p($version) ?>"
+        data-enableScripting="<?php p($enableScripting ? true : false) ?>"
+        data-sandbox="<?php p($urlGenerator->linkTo('files_pdfviewer', 'js/pdfjs/build/pdf.sandbox.js'))?>"
         data-cmapurl="<?php p($urlGenerator->linkTo('files_pdfviewer', 'js/pdfjs/web/cmaps/')) ?>">
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">