From 387a56fd2c5bc6dc62186fa1fe162f2e2a55ddf3 Mon Sep 17 00:00:00 2001 From: Brendan Dahl Date: Mon, 12 Mar 2012 12:00:30 -0700 Subject: [PATCH 1/2] Sanitize pdf link urls. --- src/core.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/core.js b/src/core.js index 86e3eeb5f..341cf6422 100644 --- a/src/core.js +++ b/src/core.js @@ -338,7 +338,13 @@ var Page = (function PageClosure() { if (a) { switch (a.get('S').name) { case 'URI': - item.url = a.get('URI'); + var url = a.get('URI'); + // TODO: pdf spec mentions urls can be relative to a Base + // entry in the dictionary. + // For now only allow http and https schemes. + if (url.search(/^https?\:/) !== 0) + url = ''; + item.url = url; break; case 'GoTo': item.dest = a.get('D'); From 084a8bca031bf8d7aff49f51083afac5b0d5c503 Mon Sep 17 00:00:00 2001 From: Brendan Dahl Date: Mon, 12 Mar 2012 16:31:49 -0700 Subject: [PATCH 2/2] Add function for checking url. --- src/core.js | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/src/core.js b/src/core.js index 341cf6422..90a7eda50 100644 --- a/src/core.js +++ b/src/core.js @@ -310,6 +310,22 @@ var Page = (function PageClosure() { return null; return item.get(name); } + function isValidUrl(url) { + if (!url) + return false; + var colon = url.indexOf(':'); + if (colon < 0) + return false; + var protocol = url.substr(0, colon); + switch (protocol) { + case 'http': + case 'https': + case 'ftp': + return true; + default: + return false; + } + } var annotations = xref.fetchIfRef(this.annotations) || []; var i, n = annotations.length; @@ -341,8 +357,7 @@ var Page = (function PageClosure() { var url = a.get('URI'); // TODO: pdf spec mentions urls can be relative to a Base // entry in the dictionary. - // For now only allow http and https schemes. - if (url.search(/^https?\:/) !== 0) + if (!isValidUrl(url)) url = ''; item.url = url; break;