search

SAP / openui5

OpenUI5 lets you build enterprise-ready web applications, responsive to all devices, running on almost any browser of your choice.
http://openui5.org
Apache License 2.0
2.94k stars 1.23k forks source link

PDF Viewer allows the JS embedded in the PDF to be executed #3946

Closed madeleinezeng closed 8 months ago

madeleinezeng commented 8 months ago

OpenUI5 version: 1.120.3

Browser/version (+device/version): Chrome 120.0.6099.130 (windows 11)

Any other tested browsers/devices(OK/FAIL): No

URL (minimal example if possible): N/A

Steps to reproduce the problem:

  1. Preview a PDF with embedded JS

What is the expected result? The embedded JS is not executed, or the preview of the PDF is prevented, to avoid Stored XSS via PDF Injection

What happens instead? The embedded JS is executed while previewing the PDF

Any other information? (attach screenshot if possible)

boghyon commented 8 months ago

Unfortunately, security issues cannot be processed here according to https://github.com/SAP/openui5/blob/master/CONTRIBUTING.md#reporting-security-issues

Please follow the linked guideline.

boghyon commented 8 months ago

If the source of the PDF file cannot be trusted, keep the PDFViewer property isTrustedSource at false. The user has then the option to explicitly download the PDF file from the toolbar.