Bug 480191

Summary: Allow user to disable JavaScript support.
Product: [Applications] okular Reporter: Paul Millar <paul.millar>
Component: PDF backendAssignee: Okular developers <okular-devel>
Status: REPORTED ---    
Severity: wishlist CC: aacid, kubry
Priority: NOR    
Version: 22.12.3   
Target Milestone: ---   
Platform: Debian stable   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Paul Millar 2024-01-22 21:47:36 UTC 
SUMMARY

JavaScript support increases the attack surface should the Okular user be given a malicious PDF file.

It would be helpful if Okular warned the user before executing any embedded JavaScript.

Similarly, it would be helpful if the user could disable JavaScript support altogether, particularly when the PDF came from an untrusted source.

STEPS TO REPRODUCE
1. Download example PDF from https://www.pdfscripting.com/public/FreeStuff/PDFSamples/JavaScriptClock.pdf
2. Open file with okular

OBSERVED RESULT

JavaScript code is executed without warning the user.  Okular seems to provide no way to disable JavaScript.

EXPECTED RESULT

I would like to be warned before Okular starts executing JavaScript.

I would also like to see a configuration option that allows the user to disable JavaScript support.