Closed felixgr closed 12 years ago
text "<link href='javascript:app.response(\"1\");'>href</link>" +
"<link anchor='javascript:app.response(\"2\");'>anchor</link>",
:inline_format => true
See my answer to #384 for general policy. We shouldn't prohibit Javascript link targets in Prawn, because some applications might want them, and whitelisting against them would break that behavior. If you want to allow user-provided links but not allow users to create Javascript links, you should do the whitelisting at the application level.
If user supplied text is used with :inline_format the user can format text. This alos allows attacker-controlled Acrobat JavaScript onclick execution by using and formatting in generated PDF.
I would suggest to whitelist href and anchor protocols (e.g. only file, http, https, mailto, ftp).