From: Brendan Dahl <brendan.dahl@gmail.com>
Date: Mon, 12 Mar 2012 19:00:30 +0000 (-0700)
Subject: Sanitize pdf link urls.
X-Git-Url: https://git.parisson.com/?a=commitdiff_plain;h=387a56fd2c5bc6dc62186fa1fe162f2e2a55ddf3;p=pdf.js.git

Sanitize pdf link urls.
---

diff --git a/src/core.js b/src/core.js
index 86e3eeb..341cf64 100644
--- a/src/core.js
+++ b/src/core.js
@@ -338,7 +338,13 @@ var Page = (function PageClosure() {
             if (a) {
               switch (a.get('S').name) {
                 case 'URI':
-                  item.url = a.get('URI');
+                  var url = a.get('URI');
+                  // TODO: pdf spec mentions urls can be relative to a Base
+                  // entry in the dictionary.
+                  // For now only allow http and https schemes.
+                  if (url.search(/^https?\:/) !== 0)
+                    url = '';
+                  item.url = url;
                   break;
                 case 'GoTo':
                   item.dest = a.get('D');