Skip to content

fix: enhance PDF viewer security by removing file parameters and validating URLs #37934

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
papphelix wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix: enhance PDF viewer security by removing file parameters and validating URLs #37934

papphelix wants to merge 2 commits into from
+202 −122

Conversation

@papphelix
Copy link

@papphelix papphelix commented Jan 23, 2026

This pull request is to fix the file param in URL which is creating security issue by sending arbitrary data in query param which can put cms under risk of different attacks like

  • random load which is read
  • xss attack if pdf.js is not handling properly while reading file param

Issue Screenshots:
image

image

Fixes done:

  • Removed File param from iframe src
  • Added postmessage based communication to pass on file path for loading the PDF on the pdf.js
  • When the url of iframe is opened it will always show chapters first pdf by default.
pdf-file-param-removal.mov

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@feanil feanil Awaiting requested review from feanil

@Faraz32123 Faraz32123 Awaiting requested review from Faraz32123

@jristau1984 jristau1984 Awaiting requested review from jristau1984

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@papphelix @viv-helix