Stirling-PDF

mirror of https://github.com/Frooodle/Stirling-PDF.git synced 2026-02-01 20:10:35 +01:00

History

Ludy 6b6699ed70 fix(security): sanitize image handling to prevent DOM XSS in PdfContainer (#4267 ) # Description of Changes - Removed the insecure `addImageFile` implementation from `ImageHighlighter.js` - Hardened `PdfContainer.addImageFile`: - Rejects non-image and SVG files to mitigate DOM XSS risks - Uses `URL.createObjectURL` safely with automatic revocation after load - Introduced `bytesFromImageElement` utility to: - Safely extract image bytes from `blob:` URLs via Canvas (always PNG) - Fetch image data robustly for `http(s)` and `data:` URLs - Use HTTP Content-Type as a hint for image type detection - Updated image type detection to consider explicitly forced types This change addresses a CodeQL security alert by ensuring user-supplied image files cannot introduce executable scripts. --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details.		2025-10-29 23:19:37 +00:00
..
common	feat(database): add email notifications for backups/imports & backup verification (#4253 )	2025-10-29 23:18:54 +00:00
core	fix(security): sanitize image handling to prevent DOM XSS in PdfContainer (#4267 )	2025-10-29 23:19:37 +00:00
proprietary	feat(database): add email notifications for backups/imports & backup verification (#4253 )	2025-10-29 23:18:54 +00:00
allowed-licenses.json	feat(cbr-to-pdf,pdf-to-cbr): add PDF to/from CBR conversion with ebook optimization option (#4581 )	2025-10-04 11:15:23 +01:00