inline formatting allows javascript insertion #385

Closed
felixgr opened this Issue Aug 10, 2012 · 2 comments

Projects

None yet

2 participants

@felixgr

If user supplied text is used with :inline_format the user can format text. This alos allows attacker-controlled Acrobat JavaScript onclick execution by using and formatting in generated PDF.

I would suggest to whitelist href and anchor protocols (e.g. only file, http, https, mailto, ftp).

@felixgr
  text  "<link href='javascript:app.response(\"1\");'>href</link>" +
        "<link anchor='javascript:app.response(\"2\");'>anchor</link>",
        :inline_format => true
@bradediger
prawnpdf member

See my answer to #384 for general policy. We shouldn't prohibit Javascript link targets in Prawn, because some applications might want them, and whitelisting against them would break that behavior. If you want to allow user-provided links but not allow users to create Javascript links, you should do the whitelisting at the application level.

@bradediger bradediger closed this Aug 12, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment