PDF Viewer allows the JS embedded in the PDF to be executed #3946

madeleinezeng · 2024-01-10T06:29:51Z

OpenUI5 version: 1.120.3

Browser/version (+device/version): Chrome 120.0.6099.130 (windows 11)

Any other tested browsers/devices(OK/FAIL): No

URL (minimal example if possible): N/A

Steps to reproduce the problem:

Preview a PDF with embedded JS

What is the expected result?
The embedded JS is not executed, or the preview of the PDF is prevented, to avoid Stored XSS via PDF Injection

What happens instead?
The embedded JS is executed while previewing the PDF

Any other information? (attach screenshot if possible)

boghyon · 2024-01-10T10:39:55Z

Unfortunately, security issues cannot be processed here according to https://github.com/SAP/openui5/blob/master/CONTRIBUTING.md#reporting-security-issues

Please follow the linked guideline.

boghyon · 2024-01-10T11:16:01Z

If the source of the PDF file cannot be trusted, keep the PDFViewer property isTrustedSource at false. The user has then the option to explicitly download the PDF file from the toolbar.

i556484 closed this as completed Jan 10, 2024

i556484 added the consulting label Jan 10, 2024

boghyon mentioned this issue Feb 2, 2024

HIGH URGENCY: PDFViewer is corrupted after 1.120.5 upgrade #3964

Closed

i556484 added the duplicate label Apr 2, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PDF Viewer allows the JS embedded in the PDF to be executed #3946

PDF Viewer allows the JS embedded in the PDF to be executed #3946

madeleinezeng commented Jan 10, 2024 •

edited

Loading

boghyon commented Jan 10, 2024

boghyon commented Jan 10, 2024

PDF Viewer allows the JS embedded in the PDF to be executed #3946

PDF Viewer allows the JS embedded in the PDF to be executed #3946

Comments

madeleinezeng commented Jan 10, 2024 • edited Loading

boghyon commented Jan 10, 2024

boghyon commented Jan 10, 2024

madeleinezeng commented Jan 10, 2024 •

edited

Loading