Carlos E. R. said:
The Wednesday 2006-01-25 at 16:01 -0800, Crispin Cowan wrote:
* PDF: Did you know that the PDF standard allows for embedded Javascript? And that the Adobe Acrobat viewer executes this Javascript? Much much scarier than web bugs.
I thought this only applied to acrobat version 7. Also, I though that other viewers, like xpdf, were safe in this respect.
Javascript is included in the PDF specificaton at least since v1.3 (i.e. Acrobat 4). And PDF supports event-triggered "auto-open" scripts with the same bad security design as MS Office formats (see chapter 8.5.2 in http://partners.adobe.com/public/developer/en/pdf/PDFReference.pdf for details). I'm not sure if xpdf implements the javascript functionality. For Acrobat, javascript/ECMAscript functionality is implemented as a plugin called "Escript.api" (found in the "plug_ins" subdirectory). To disable a plugin, simply remove it from this directory (including any subdirectories). Warning: Many other plugins depend on javascript (including the plugins for forms, spellcheck, weblinks, accessability, digital signatures, multimedia). All these won't work properly without javascript. -- Michel Messerschmidt, lists@michel-messerschmidt.de