Merge commit from fork

* Fix FreeText annotation style string escaping

* Remove dist artifacts from FreeText fix PR

* Harden FreeText color: add hex validation, fix double #, expand tests

- Validate color as hex pattern (3-8 hex chars), fallback to 000000
  for non-hex input as defense-in-depth alongside pdfEscape
- Strip leading # before concatenation to prevent double ## in output
- Add tests: injection rejection, backslash bypass, valid hex colors,
  double # prevention, non-hex fallback

* Update freetext.pdf reference for double # fix

The reference file had color:##ff0000 (double #) which was
a pre-existing bug. Now that we strip the leading # before
concatenation, the output is color:#ff0000 and the reference
must match.

* Revert "Update freetext.pdf reference for double # fix"

This reverts commit b6139558ededb872a663f62898d68f0f2d35bde5.

* Revert "Harden FreeText color: add hex validation, fix double #, expand tests"

This reverts commit 0b8baf967c5089ec40f0a86c3d59cb47fcc0823e.

---------

Co-authored-by: Doruk <peak@peaktwilight.com>
Co-authored-by: Lukas Holländer <lukas.hollaender@yworks.com>

Author: 3 people

src/modules/annotations.js

@@ -191,6 +191,9 @@ import { jsPDF } from "../jspdf.js";
               getVerticalCoordinateString(anno.bounds.y + anno.bounds.h) +
               "] ";
             var color = anno.color || "#000000";
+            var defaultStyle =
+              "font: Helvetica,sans-serif 12.0pt; text-align:left; color:#" +
+              color;
             line =
               "<</Type /Annot /Subtype /" +
               "FreeText" +
@@ -199,10 +202,7 @@ import { jsPDF } from "../jspdf.js";
               "/Contents (" +
               escape(encryptor(anno.contents)) +
               ")";
-            line +=
-              " /DS(font: Helvetica,sans-serif 12.0pt; text-align:left; color:#" +
-              color +
-              ")";
+            line += " /DS(" + escape(encryptor(defaultStyle)) + ")";
             line += " /Border [0 0 0]";
             line += " >>";
             this.internal.write(line);

test/specs/annotations.spec.js

@@ -55,6 +55,28 @@ describe("Module: Annotations", () => {
     });
     comparePdf(doc.output(), "freetext.pdf", "annotations");
   });
+  it("should escape free text annotation style strings", () => {
+    const doc = jsPDF({ floatPrecision: 2 });
+    doc.createAnnotation({
+      type: "freetext",
+      bounds: {
+        x: 0,
+        y: 10,
+        w: 200,
+        h: 20
+      },
+      contents: "This is a freetext annotation",
+      color: '000000) /AA <</E <</S /JavaScript /JS (alert("x"))>>>> ('
+    });
+
+    const output = doc.output();
+    const dsMatch = output.match(/\/DS\((.*)\) \/Border \[0 0 0\]/);
+
+    expect(dsMatch).not.toBeNull();
+    expect(dsMatch[1]).toContain(
+      'color:#000000\\) /AA <</E <</S /JavaScript /JS \\(alert\\("x"\\)\\)>>>> \\('
+    );
+  });
   it("should draw a link on the text with link after add page", () => {
     const doc = new jsPDF({
       unit: "px",