Cross Site Scripting - PDF upload | Community
Skip to main content
V
Vijaya_KrishnaKo
Level 1
January 26, 2026
New

Cross Site Scripting - PDF upload

  • January 26, 2026
  • 1 reply
  • 28 views

We recently completed our year‑end penetration testing for the application and identified a medium‑severity issue. The system does not restrict or sanitize PDF uploads that contain embedded JavaScript code. An attacker could upload a specially crafted PDF with embedded JavaScript, and if a privileged user later opens the PDF in a PDF reader, the JavaScript may execute within the reader process.

As a remediation, can we block or reject PDF files that contain embedded JavaScript during upload?

    1 reply

    konstantyn_diachenko
    Community Advisor
    konstantyn_diachenkoCommunity Advisor
    Community Advisor
    January 26, 2026

    Hi ​@Vijaya_KrishnaKo ,

     

    Yes. You can remediate this by validating uploaded PDFs server-side and rejecting any files that contain embedded JavaScript or active actions (e.g., /JavaScript, /JS, /OpenAction). This can be implemented using a PDF parsing library (such as Apache PDFBox) during upload. Additionally, PDFs can be re-saved or converted to remove active content as a defense-in-depth measure.

    Discover capabilities of the PDFBox library (https://pdfbox.apache.org/). It allows accessing global JS or page-level JS actions.

    Kostiantyn Diachenko, Community Advisor, Certified Senior AEM Developer, creator of free AEM VLT Tool, maintainer of AEM Tools plugin.
      Terms & ConditionsAccessibility statement

      Loading footer...