mirrors/jellyfin-web
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin-web synced 2025-03-30 19:56:21 +00:00
Code Activity

Disable eval support in pdfjs

Browse source
This commit is contained in:
Bill Thornton 2024-06-10 11:57:18 -04:00
parent 7e20d3032f
commit 4ec0e2f086
1 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/plugins/pdfPlayer/plugin.js
View file

@ -207,7 +207,12 @@ export class PdfPlayer {
this.bindEvents();
GlobalWorkerOptions.workerSrc = appRouter.baseUrl() + '/libraries/pdf.worker.js';
const downloadTask = getDocument(downloadHref);
const downloadTask = getDocument({
url: downloadHref,
// Disable for PDF.js XSS vulnerability
// https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq
isEvalSupported: false
});
return downloadTask.promise.then(book => {
if (this.cancellationToken) return;
this.book = book;