Try freeBuy now
Try freeBuy now

HTML to PDF / DOCX / RTF Java converter library Forums PD4ML Forums Technical questions / Troubleshooting Disable “iframe” execution while exporting to PDF

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • anshulmehta
      October 27, 2025 at 08:12
      #40147

      Hello Team,
      I am using the PD4ML (Version 3115 licensed) in my application to export emails from the user interface to the PDF format. A security vulnerability has been detected in such emails having subject as “Test <iframe src=”file:///D:/sampleFile.txt” height=”1000px” width=”500px”>” or “Test <iframe src=”file:///etc/shadow” height=”1000px” width=”500px”>”, which when exported to PDF via PD4ML, leads to execution of this iframe, and the contents of that particular file specified in the path are also displayed/exported to the PDF.
      This can lead to leakage of sensitive information like system level info to the user.

      Is there any way to prevent or block execution of such iframes so that the contents of the file are not displayed to the user. Please note that valid iframes in the email would need to be executed properly and such iframes like pointing to local file system or local files would need to be blocked.
      is there a method available in PD4ML version 3 or in later versions.
      Can you provide some guidance on how we can achieve this. This is a critical security vulnerability.

      anshulmehta
        October 28, 2025 at 06:23
        #40165

        The license information is as below

        License Details:
        Version: 3115fx3 Pro DMS
        License Type: Professional (Pro) – Not Demo
        Product: PD4ML Pro with DMS (Document Management System) features

        PD4ML
          October 28, 2025 at 13:09
          #40177

          There are two conversion parameters can be useful for the case. For PD4ML v4.x they are:

          https://pd4ml.tech/javadoc/com/pd4ml/Constants.html#PD4ML_DISABLE_EXTERNAL_ATTACHMENTS

          https://pd4ml.tech/javadoc/com/pd4ml/Constants.html#PD4ML_ALLOWED_RESOURCE_LOCATION

          In PD4ML v4 the external resource restrictions can be set this way:

          pd4ml.setParam(Constants.PD4ML_DISABLE_EXTERNAL_ATTACHMENTS, "true"); – completely disables the external attachments

          or more precise control with comma-separated list of allowed CSS/image/attachments locations:

          pd4ml.setParam(Constants. PD4ML_ALLOWED_RESOURCE_LOCATION, "C:/SafeAttachments/,http://192.168.0.10/styles/,http://192.168.0.10/images/");

          There is more-less identical approach to control the external resources availabiliy for PD4ML v3.x

          Map m = new HashMap(); m.put(PD4Constants.PD4ML_ALLOWED_RESOURCE_LOCATION, "C:/SafeAttachments/,http://192.168.0.10/styles/,http://192.168.0.10/images/"); pd4ml.setDynamicParams(m);

          PD4ML
            October 28, 2025 at 13:11
            #40178

            And there is a radical solution for <iframe>

            pd4ml.addStyle("iframe {display: none !important}", true);

          • Author
            Posts
          Viewing 4 posts - 1 through 4 (of 4 total)

          You must be logged in to reply to this topic.