Preventing Javascript and other potentially malicious content in pdf files

Preventing Javascript and other potentially malicious content in pdf files

by Ava Taylor -
Number of replies: 4

Seems it is possible for a non-admin user (a student for example) to upload a .PDF file that contains Javascript and other potentially manipulative elements.

What can I do to prevent this? I still need students to upload pdf files but I need to prevent this kind of content in them.

I'm current using Moodle 3.9.6 at the moment and cannot upgrade to newer versions of Moodle.

Average of ratings: -
In reply to Ava Taylor

Ri: Preventing Javascript and other potentially malicious content in pdf files

by Sergio Rabellino -
Picture of Particularly helpful Moodlers Picture of Plugin developers
But in what javascript scope this code is run ? Searching around it seems that the javascript embedded into the pdf can only be executed in the document context, so limited to automating some processes into the pdf itself.
IMHO this is not a problem for Moodle.
Average of ratings: -
In reply to Sergio Rabellino

Re: Ri: Preventing Javascript and other potentially malicious content in pdf files

by Ava Taylor -

I'm not sure about the scope, but I'm positive I don't want it in the pdf file

Average of ratings: -
In reply to Ava Taylor

Re: Ri: Preventing Javascript and other potentially malicious content in pdf files

by Brett Dalton -
Picture of Moodle HQ Picture of Particularly helpful Moodlers
No there isn't. But the JS that is supported in a PDF is extremely limited, mostly to manipulating form data which is what its intended for. It can't manipulate the text of the PDF, nor does it have any access to the browser DOM, can't send network request. Some browsers (possibly all now) dont even consider it part of the same site it was launched from so it can't even affect the site it was launched from. Its far less a risk than JS running on any website you use regularly, at worst its likely to be an annoyance than actively malicious..
Average of ratings: -
In reply to Brett Dalton

Re: Ri: Preventing Javascript and other potentially malicious content in pdf files

by Ava Taylor -

I gave JavaScript only as an example of what I thought might be malicious content for a pdf.

what I'm concerned about is any kind of content that CAN be considered malicious but cannot be detected by the ClamAV antivirus we are using in our Moodle.

Average of ratings: -