Is there a way to delete all javascript from the PDF?

[Zirafnik]

I noticed there is an addjavascript method, but is there a method to remove all javascript actions? How would I go about doing that?

Link: https://pdf-lib.js.org/docs/api/classes/pdfdocument#addjavascript

I need it to avoid malicious code from users' uploaded content.

[holub008]

I'm a PDF & pdf-lib novice, but here's my / GPT's attempt at this. It sanitizes this example xss.pdf (which will run alert('XSS') if opened in most browsers' default viewer), but I have no idea if this is complete protection.

I agree it would be an nice feature offering, since it's an XSS protection for any app accepting user uploaded PDFs.

const {
  PDFDocument, PDFName, PDFArray, PDFDict,
} = require('pdf-lib');

async function sanitizePDF(pdfBytes) {
  const pdfDoc = await PDFDocument.load(pdfBytes);

  function removeJavaScriptFromDict(dict) {
    if (!dict || !(dict instanceof PDFDict)) return;

    if (dict.has(PDFName.of('JS'))) {
      dict.delete(PDFName.of('JS'));
    }

    for (const [_, value] of dict.entries()) {
      if (value instanceof PDFDict) {
        removeJavaScriptFromDict(value);
      }
    }
  }

  const pages = pdfDoc.getPages();
  pages.forEach((page) => {
    const { dict } = page.node;

    removeJavaScriptFromDict(dict);

    const annotsArray = dict.get(PDFName.of('Annots'));
    if (annotsArray instanceof PDFArray) {
      annotsArray.asArray().forEach((annotRef) => {
        const annot = annotRef.lookup();
        if (annot instanceof PDFDict) {
          removeJavaScriptFromDict(annot);
        }
      });
    }

    const aaDict = dict.get(PDFName.of('AA'));
    if (aaDict instanceof PDFDict) {
      removeJavaScriptFromDict(aaDict);
    }
  });

  const { catalog } = pdfDoc;

  const openAction = catalog.get(PDFName.of('OpenAction'));
  if (openAction instanceof PDFDict) {
    removeJavaScriptFromDict(openAction);
  }

  const namesDict = catalog.get(PDFName.of('Names'));
  if (namesDict instanceof PDFDict) {
    const jsDict = namesDict.get(PDFName.of('JavaScript'));
    if (jsDict instanceof PDFDict) {
      removeJavaScriptFromDict(jsDict);
    }
  }

  return pdfDoc.save();
}

[iMaro40]

Here is a short working version I have in case it helps anyone:

import { PDFDict, PDFDocument, PDFName, PDFObject } from "pdf-lib";
import fs from "fs";
import path from "path";

const removeJsFromPdfObject = (pdfObject: PDFObject) => {
  if (!(pdfObject instanceof PDFDict)) return;

  const jsAction = PDFName.of("JS");
  if (pdfObject.has(jsAction)) pdfObject.delete(jsAction);

  pdfObject.values().forEach((subObject) => removeJsFromPdfObject(subObject));
};

const removeEmbeddedJsFromPdf = (pdfDoc: PDFDocument) => {
  pdfDoc.getPages().forEach((page) => {
    const aaDict = page.node.get(PDFName.of("AA"));
    removeJsFromPdfObject(aaDict);
  });
};

const main = async () => {
  const existingPdfBytes = await fs.readFileSync(
    path.join(__dirname, "FileXSS.pdf")
  );

  const pdfDoc = await PDFDocument.load(existingPdfBytes);
  removeEmbeddedJsFromPdf(pdfDoc);

  const newPdfBytes = await pdfDoc.save();
  await fs.writeFileSync("sanitizedPdf.pdf", newPdfBytes);
};

main();