Closed EastSun5566 closed 6 months ago
Hi team,
Consider the following example, which can trigger an alert popup when inline PDFs are unsupported (like on mobile devices):
# XSS 6 <span class="pdf raw" data-pdfurl="'><iframe srcdoc='ww<script src="https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(document.domain)//"></script>'></iframe><p data-x='"></span>
The issue arises because PDFObject uses innerHTML to insert concatenated fallbackHTML, which could lead to XSS vulnerabilities. For more information, refer to https://github.com/pipwerks/PDFObject/issues/296
innerHTML
This can be seen in the code at the following locations:
https://github.com/pipwerks/PDFObject/blob/2c0bbd90d4de64598ff6df9e1af32de2d58a6eb9/pdfobject.js#L275 https://github.com/pipwerks/PDFObject/blob/2c0bbd90d4de64598ff6df9e1af32de2d58a6eb9/pdfobject.js#L323-L329
I think we should sanitize the URL before passing it to PDFObject.embed. This approach should fix the problem.
PDFObject.embed
Hi team,
Consider the following example, which can trigger an alert popup when inline PDFs are unsupported (like on mobile devices):
The issue arises because PDFObject uses
innerHTML
to insert concatenated fallbackHTML, which could lead to XSS vulnerabilities. For more information, refer to https://github.com/pipwerks/PDFObject/issues/296This can be seen in the code at the following locations:
https://github.com/pipwerks/PDFObject/blob/2c0bbd90d4de64598ff6df9e1af32de2d58a6eb9/pdfobject.js#L275 https://github.com/pipwerks/PDFObject/blob/2c0bbd90d4de64598ff6df9e1af32de2d58a6eb9/pdfobject.js#L323-L329
I think we should sanitize the URL before passing it to
PDFObject.embed
. This approach should fix the problem.