mirror of
https://github.com/mozilla/pdf.js.git
synced 2025-04-22 16:18:08 +02:00
Rejects incorrect url in download manager
This commit is contained in:
Yury Delendik
parent
ef658bf5f1
commit
28778e6c1b
3 changed files with 30 additions and 22 deletions
|
|
@ -16,7 +16,7 @@
|
|||
*/
|
||||
/* globals Util, isDict, isName, stringToPDFString, TODO, Dict, Stream,
|
||||
stringToBytes, PDFJS, isWorker, assert, NotImplementedException,
|
||||
Promise, isArray, ObjectLoader */
|
||||
Promise, isArray, ObjectLoader, isValidUrl */
|
||||
|
||||
'use strict';
|
||||
|
||||
|
|
@ -641,24 +641,6 @@ var TextAnnotation = (function TextAnnotationClosure() {
|
|||
})();
|
||||
|
||||
var LinkAnnotation = (function LinkAnnotationClosure() {
|
||||
function isValidUrl(url) {
|
||||
if (!url)
|
||||
return false;
|
||||
var colon = url.indexOf(':');
|
||||
if (colon < 0)
|
||||
return false;
|
||||
var protocol = url.substr(0, colon);
|
||||
switch (protocol) {
|
||||
case 'http':
|
||||
case 'https':
|
||||
case 'ftp':
|
||||
case 'mailto':
|
||||
return true;
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
function LinkAnnotation(params) {
|
||||
Annotation.call(this, params);
|
||||
|
||||
|
|
@ -676,7 +658,7 @@ var LinkAnnotation = (function LinkAnnotationClosure() {
|
|||
var url = action.get('URI');
|
||||
// TODO: pdf spec mentions urls can be relative to a Base
|
||||
// entry in the dictionary.
|
||||
if (!isValidUrl(url)) {
|
||||
if (!isValidUrl(url, false)) {
|
||||
url = '';
|
||||
}
|
||||
data.url = url;
|
||||
|
|
@ -692,7 +674,7 @@ var LinkAnnotation = (function LinkAnnotationClosure() {
|
|||
|
||||
// TODO: pdf reference says that GoToR
|
||||
// can also have 'NewWindow' attribute
|
||||
if (!isValidUrl(url)) {
|
||||
if (!isValidUrl(url, false)) {
|
||||
url = '';
|
||||
}
|
||||
data.url = url;
|
||||
|
|
|
|||
22
src/util.js
22
src/util.js
|
|
@ -108,6 +108,28 @@ function combineUrl(baseUrl, url) {
|
|||
}
|
||||
}
|
||||
|
||||
// Validates if URL is safe and allowed, e.g. to avoid XSS.
|
||||
function isValidUrl(url, allowRelative) {
|
||||
if (!url) {
|
||||
return false;
|
||||
}
|
||||
var colon = url.indexOf(':');
|
||||
if (colon < 0) {
|
||||
return allowRelative;
|
||||
}
|
||||
var protocol = url.substr(0, colon);
|
||||
switch (protocol) {
|
||||
case 'http':
|
||||
case 'https':
|
||||
case 'ftp':
|
||||
case 'mailto':
|
||||
return true;
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
}
|
||||
PDFJS.isValidUrl = isValidUrl;
|
||||
|
||||
// In a well-formed PDF, |cond| holds. If it doesn't, subsequent
|
||||
// behavior is undefined.
|
||||
function assertWellFormed(cond, msg) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue