inline formatting allows javascript insertion #385

felixgr opened this Issue Aug 10, 2012 · 2 comments


None yet

2 participants


If user supplied text is used with :inline_format the user can format text. This alos allows attacker-controlled Acrobat JavaScript onclick execution by using and formatting in generated PDF.

I would suggest to whitelist href and anchor protocols (e.g. only file, http, https, mailto, ftp).

  text  "<link href='javascript:app.response(\"1\");'>href</link>" +
        "<link anchor='javascript:app.response(\"2\");'>anchor</link>",
        :inline_format => true
prawnpdf member

See my answer to #384 for general policy. We shouldn't prohibit Javascript link targets in Prawn, because some applications might want them, and whitelisting against them would break that behavior. If you want to allow user-provided links but not allow users to create Javascript links, you should do the whitelisting at the application level.

@bradediger bradediger closed this Aug 12, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment