480191 – Allow user to disable JavaScript support.

Bug 480191 - Allow user to disable JavaScript support.

Summary: Allow user to disable JavaScript support.

Status:	REPORTED

Alias:	None

Product:	okular
Classification:	Applications
Component:	PDF backend (show other bugs)
Version:	22.12.3
Platform:	Debian stable Linux

Importance:	NOR wishlist
Target Milestone:	---
Assignee:	Okular developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-01-22 21:47 UTC by Paul Millar
Modified:	2024-06-18 18:40 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Paul Millar 2024-01-22 21:47:36 UTC

SUMMARY

JavaScript support increases the attack surface should the Okular user be given a malicious PDF file.

It would be helpful if Okular warned the user before executing any embedded JavaScript.

Similarly, it would be helpful if the user could disable JavaScript support altogether, particularly when the PDF came from an untrusted source.

STEPS TO REPRODUCE
1. Download example PDF from https://www.pdfscripting.com/public/FreeStuff/PDFSamples/JavaScriptClock.pdf
2. Open file with okular

OBSERVED RESULT

JavaScript code is executed without warning the user.  Okular seems to provide no way to disable JavaScript.

EXPECTED RESULT

I would like to be warned before Okular starts executing JavaScript.

I would also like to see a configuration option that allows the user to disable JavaScript support.