When the last Tetris PDF was on the HN homepage I looked into ways of disabling JS in PDFs but was unable to find anyway other than disabling JS for the entire browser. I tried messing about with uBlock filters but to no avail. Does anyone know if this can be achieved?
So you can run a PDF reader inside it to display a PDF? Honestly I am a little worried someone will come up with some sort of smart DRM based on this.
In seriousness, it’s impressive and highlights how awful the PDF format is. Can we have a document format that is less encumbered, more structured, and more accepted as a “real” document yet?
Actually you don't need an old version of emscripten, hit me up for the Makefile and pdf templates or wait till offical release. My build script will make the pdf work both on chrome and firefox, adobe support is pending.
This is kind of what NSO Group’s Pegasus did to break out of iPhone sandboxing. They exploited a codec to bootstrap a virtual machine with a custom instruction set.
This is not breaking any sandboxing as far as I understand it. PDFs can contain JavaScript, JavaScript can emulate a processor and a processor can run Linux... but that Linux is not getting outside the boundaries of the PDF viewer.
On Edge (Chromium), I get this error message instead:
An embedded page at linux.doompdf.dev says
TypeError: Cannot set properties of null (setting 'value')
at Object.0.9657115108887302 (<anonymous>:248:42)
at set_interval_callback (<anonymous>:43:24)
at <anonymous>:1:6
Instead of a hash sum you could use a crypto signature. Makes it even more useful: if someone legitimately alters the file, you could verify who it was. While you're at it, make it a zipped git repository and you have edit history for free
not sure, but maybe hashing the media files to be zipped and including that hashlist in the hashed lmd would prevent that? or at least allow for a verification that they werent altered
Is there even a single solid motivating example for why JS in PDF is useful? Can anyone show a real-world application of JS in PDF where it's actually a good fit?
I just don't see why PDF would be your file format of choice if you're writing JS.
We have tax forms available as interactive PDFs, which:
* auto-computes formulas
* enables and disables whole sections of the document depending of filled values
* performs complex validation, beyond checking for required fields and regexp patterns
* offers inline help
* can be filled, saved and printed completely offline
* when printed, looks exactly the same as traditional, paper form
* don't require external software beyond a PDF reader
It is allowed by the PDF/A-3 standard which lets you embed data and script into a PDF. And this is used as the archive standard for PDF files sent in electronic invoicing in a number of countries. Basically you get a human readable file containing the data presented and its digitally signed so your data matches the readable presentation.
PDF forms - you can cut down on errors by using JS to enable/disable parts of the form based on users answers (e.g if not married, you are also not filling jointly in a tax form).
PDFs work offline, and they are designed to represent printable pages, so if the end document has some use on paper, or if you want to allow users to fill it as a document and to do it completely offline, it make sense to use PDF.
The form used by the BOIR, (Beneficial Owner Information Report), which was supposed to be mandatory for all businesses in the US, uses some kind of scripting, which I suspect is JS. I had to spin up a Windows machine on Virtual Box to get the right version of Adobe Acrobat to fill it in, as Adobe dropped support for Linux years ago. Why the CFPB didn't just create an SPA or a web form for this is a mystery to me.
The BOIR is an important tool for helping investigate money laundering. Its constitutionally is in doubt, apparently by people who think money laundering is a good thing.
It’s no wonder we have endless security issues when documents that should be just data and metadata (layout) declarations are Turing complete. Sigh.