Merge commit from fork

* Fix popup rendering for new window outputs

* Encode filename in data URI, add edge case tests

- Encode options.filename in datauristring to prevent data URI
  structure corruption via semicolons/commas
- Add tests: SRI on default pdfobject URL, data URI filename encoding,
  malicious pdfJsUrl attribute injection attempt

* Fix SRI test: split into default and custom URL cases

The previous test claimed to cover both default and custom URL
paths but only checked the default. Now split into two separate
tests that each verify what they claim.

---------

Co-authored-by: Doruk <peak@peaktwilight.com>

Author: sofianeelhor

src/jspdf.js

@@ -3007,6 +3007,47 @@ function jsPDF(options) {
     });
   });
 
+  var clearDomNode = function(node) {
+    while (node.firstChild) {
+      node.removeChild(node.firstChild);
+    }
+  };
+
+  var initializeNewWindow = function(window) {
+    var targetDocument = window.document;
+    var html = targetDocument.documentElement;
+    var head = targetDocument.head;
+    var body = targetDocument.body;
+    var style;
+
+    if (!head) {
+      head = targetDocument.createElement("head");
+      html.appendChild(head);
+    }
+
+    if (!body) {
+      body = targetDocument.createElement("body");
+      html.appendChild(body);
+    }
+
+    clearDomNode(head);
+    clearDomNode(body);
+
+    style = targetDocument.createElement("style");
+    style.appendChild(
+      targetDocument.createTextNode(
+        "html, body { padding: 0; margin: 0; } iframe { width: 100%; height: 100%; border: 0;}"
+      )
+    );
+
+    head.appendChild(style);
+
+    return {
+      document: targetDocument,
+      body: body
+    };
+  };
+
   /**
    * Generates the PDF document.
    *
@@ -3084,7 +3125,7 @@ function jsPDF(options) {
         }
         return (
           "data:application/pdf;filename=" +
-          options.filename +
+          encodeURIComponent(options.filename) +
           ";base64," +
           dataURI
         );
@@ -3094,29 +3135,34 @@ function jsPDF(options) {
         ) {
           var pdfObjectUrl =
             "https://cdnjs.cloudflare.com/ajax/libs/pdfobject/2.1.1/pdfobject.min.js";
-          var integrity =
-            ' integrity="sha512-4ze/a9/4jqu+tX9dfOqJYSvyYd5M6qum/3HpCLr+/Jqf0whc37VUbkpNGHR7/8pSnCFw47T1fmIpwBV7UySh3g==" crossorigin="anonymous"';
+          var useDefaultPdfObjectUrl = !options.pdfObjectUrl;
 
-          if (options.pdfObjectUrl) {
+          if (!useDefaultPdfObjectUrl) {
             pdfObjectUrl = options.pdfObjectUrl;
-            integrity = "";
           }
 
-          var htmlForNewWindow =
-            "<html>" +
-            '<style>html, body { padding: 0; margin: 0; } iframe { width: 100%; height: 100%; border: 0;}  </style><body><script src="' +
-            pdfObjectUrl +
-            '"' +
-            integrity +
-            '></script><script >PDFObject.embed("' +
-            this.output("dataurlstring") +
-            '", ' +
-            JSON.stringify(options) +
-            ");</script></body></html>";
           var nW = globalObject.open();
 
           if (nW !== null) {
-            nW.document.write(htmlForNewWindow);
+            var initializedPdfObjectWindow = initializeNewWindow(nW);
+            var pdfObjectScript = initializedPdfObjectWindow.document.createElement(
+              "script"
+            );
+            var scope = this;
+
+            pdfObjectScript.src = pdfObjectUrl;
+
+            if (useDefaultPdfObjectUrl) {
+              pdfObjectScript.integrity =
+                "sha512-4ze/a9/4jqu+tX9dfOqJYSvyYd5M6qum/3HpCLr+/Jqf0whc37VUbkpNGHR7/8pSnCFw47T1fmIpwBV7UySh3g==";
+              pdfObjectScript.crossOrigin = "anonymous";
+            }
+
+            pdfObjectScript.onload = function() {
+              nW.PDFObject.embed(scope.output("dataurlstring"), options);
+            };
+
+            initializedPdfObjectWindow.body.appendChild(pdfObjectScript);
           }
           return nW;
         } else {
@@ -3129,30 +3175,33 @@ function jsPDF(options) {
           Object.prototype.toString.call(globalObject) === "[object Window]"
         ) {
           var pdfJsUrl = options.pdfJsUrl || "examples/PDF.js/web/viewer.html";
-          var htmlForPDFjsNewWindow =
-            "<html>" +
-            "<style>html, body { padding: 0; margin: 0; } iframe { width: 100%; height: 100%; border: 0;}  </style>" +
-            '<body><iframe id="pdfViewer" src="' +
-            pdfJsUrl +
-            "?file=&downloadName=" +
-            options.filename +
-            '" width="500px" height="400px" />' +
-            "</body></html>";
           var PDFjsNewWindow = globalObject.open();
 
           if (PDFjsNewWindow !== null) {
-            PDFjsNewWindow.document.write(htmlForPDFjsNewWindow);
+            var initializedPdfJsWindow = initializeNewWindow(PDFjsNewWindow);
+            var pdfViewer = initializedPdfJsWindow.document.createElement(
+              "iframe"
+            );
+            var pdfJsQueryChar = pdfJsUrl.indexOf("?") === -1 ? "?" : "&";
             var scope = this;
-            PDFjsNewWindow.document.documentElement.querySelector(
-              "#pdfViewer"
-            ).onload = function() {
+
+            pdfViewer.id = "pdfViewer";
+            pdfViewer.width = "500px";
+            pdfViewer.height = "400px";
+            pdfViewer.src =
+              pdfJsUrl +
+              pdfJsQueryChar +
+              "file=&downloadName=" +
+              encodeURIComponent(options.filename);
+
+            pdfViewer.onload = function() {
               PDFjsNewWindow.document.title = options.filename;
-              PDFjsNewWindow.document.documentElement
-                .querySelector("#pdfViewer")
-                .contentWindow.PDFViewerApplication.open(
-                  scope.output("bloburl")
-                );
+              pdfViewer.contentWindow.PDFViewerApplication.open(
+                scope.output("bloburl")
+              );
             };
+
+            initializedPdfJsWindow.body.appendChild(pdfViewer);
           }
           return PDFjsNewWindow;
         } else {
@@ -3164,17 +3213,17 @@ function jsPDF(options) {
         if (
           Object.prototype.toString.call(globalObject) === "[object Window]"
         ) {
-          var htmlForDataURLNewWindow =
-            "<html>" +
-            "<style>html, body { padding: 0; margin: 0; } iframe { width: 100%; height: 100%; border: 0;}  </style>" +
-            "<body>" +
-            '<iframe src="' +
-            this.output("datauristring", options) +
-            '"></iframe>' +
-            "</body></html>";
           var dataURLNewWindow = globalObject.open();
           if (dataURLNewWindow !== null) {
-            dataURLNewWindow.document.write(htmlForDataURLNewWindow);
+            var initializedDataUrlWindow = initializeNewWindow(
+              dataURLNewWindow
+            );
+            var dataUrlFrame = initializedDataUrlWindow.document.createElement(
+              "iframe"
+            );
+
+            dataUrlFrame.src = this.output("datauristring", options);
+            initializedDataUrlWindow.body.appendChild(dataUrlFrame);
             dataURLNewWindow.document.title = options.filename;
           }
           if (dataURLNewWindow || typeof safari === "undefined")

test/specs/init.spec.js

@@ -88,6 +88,14 @@ describe("Core: Initialization Options", () => {
   });
 
   if (global.isNode !== true) {
+    const createPopupWindow = () => {
+      const popupDocument = document.implementation.createHTMLDocument("");
+
+      return {
+        document: popupDocument
+      };
+    };
+
     xit("should open a new window", () => {
       if (navigator.userAgent.indexOf("Trident") !== -1) {
         console.warn("Skipping IE for new window test");
@@ -98,6 +106,141 @@ describe("Core: Initialization Options", () => {
       doc.output("dataurlnewwindow");
       // expect(doc.output('dataurlnewwindow').Window).toEqual(jasmine.any(Function))
     });
+
+    it("should safely render dataurlnewwindow content with attacker controlled filenames", () => {
+      const doc = jsPDF();
+      const popupWindow = createPopupWindow();
+      const payload = '"></iframe><script>window.__xss = true</script>';
+
+      spyOn(global, "open").and.returnValue(popupWindow);
+
+      doc.output("dataurlnewwindow", { filename: payload });
+
+      expect(popupWindow.document.title).toEqual(payload);
+      expect(popupWindow.document.querySelectorAll("script").length).toEqual(0);
+      expect(popupWindow.document.querySelectorAll("iframe").length).toEqual(1);
+    });
+
+    it("should safely render pdfjsnewwindow content with attacker controlled filenames", () => {
+      const doc = jsPDF();
+      const popupWindow = createPopupWindow();
+      const payload = '"></iframe><script>window.__xss = true</script>';
+      let viewerFrame;
+
+      spyOn(global, "open").and.returnValue(popupWindow);
+
+      doc.output("pdfjsnewwindow", {
+        filename: payload,
+        pdfJsUrl: "viewer.html"
+      });
+
+      viewerFrame = popupWindow.document.querySelector("#pdfViewer");
+      Object.defineProperty(viewerFrame, "contentWindow", {
+        value: {
+          PDFViewerApplication: {
+            open: jasmine.createSpy("open")
+          }
+        }
+      });
+
+      viewerFrame.onload();
+
+      expect(popupWindow.document.title).toEqual(payload);
+      expect(popupWindow.document.querySelectorAll("script").length).toEqual(0);
+      expect(viewerFrame.src).toContain(encodeURIComponent(payload));
+      expect(
+        viewerFrame.contentWindow.PDFViewerApplication.open
+      ).toHaveBeenCalled();
+    });
+
+    it("should safely render pdfobjectnewwindow content with attacker controlled options", () => {
+      const doc = jsPDF();
+      const popupWindow = createPopupWindow();
+      const payload = "</script><script>window.__xss = true</script>";
+      let loaderScript;
+
+      popupWindow.PDFObject = {
+        embed: jasmine.createSpy("embed")
+      };
+
+      spyOn(global, "open").and.returnValue(popupWindow);
+
+      doc.output("pdfobjectnewwindow", {
+        filename: payload,
+        pdfObjectUrl: "https://example.com/pdfobject.js",
+        customOption: payload
+      });
+
+      loaderScript = popupWindow.document.querySelector("script");
+      loaderScript.onload();
+
+      expect(popupWindow.document.querySelectorAll("script").length).toEqual(1);
+      expect(popupWindow.PDFObject.embed).toHaveBeenCalledWith(
+        jasmine.any(String),
+        jasmine.objectContaining({
+          filename: payload,
+          customOption: payload
+        })
+      );
+    });
+
+    it("should set SRI attributes when using default pdfobject URL", () => {
+      const doc = jsPDF();
+      const popupWindow = createPopupWindow();
+
+      popupWindow.PDFObject = { embed: jasmine.createSpy("embed") };
+      spyOn(global, "open").and.returnValue(popupWindow);
+
+      doc.output("pdfobjectnewwindow", { filename: "test.pdf" });
+      var loaderScript = popupWindow.document.querySelector("script");
+      expect(loaderScript.integrity).toBeTruthy();
+      expect(loaderScript.crossOrigin).toEqual("anonymous");
+    });
+
+    it("should omit SRI attributes when using custom pdfobject URL", () => {
+      const doc = jsPDF();
+      const popupWindow = createPopupWindow();
+
+      popupWindow.PDFObject = { embed: jasmine.createSpy("embed") };
+      spyOn(global, "open").and.returnValue(popupWindow);
+
+      doc.output("pdfobjectnewwindow", {
+        filename: "test.pdf",
+        pdfObjectUrl: "https://example.com/pdfobject.js"
+      });
+      var loaderScript = popupWindow.document.querySelector("script");
+      expect(loaderScript.integrity).toBeFalsy();
+      expect(loaderScript.src).toContain("example.com");
+    });
+
+    it("should encode filename in datauristring to prevent data URI corruption", () => {
+      const doc = jsPDF();
+      const payload = "evil;base64,PHNjcmlwdD4=;fakeparam";
+
+      const result = doc.output("datauristring", { filename: payload });
+      expect(result).toContain("filename=" + encodeURIComponent(payload));
+      expect(result).not.toContain("filename=" + payload);
+    });
+
+    it("should safely handle pdfjsnewwindow with malicious pdfJsUrl", () => {
+      const doc = jsPDF();
+      const popupWindow = createPopupWindow();
+      const maliciousUrl = '" onload="alert(1)" data-x="';
+
+      spyOn(global, "open").and.returnValue(popupWindow);
+
+      doc.output("pdfjsnewwindow", {
+        filename: "test.pdf",
+        pdfJsUrl: maliciousUrl
+      });
+
+      const iframe = popupWindow.document.querySelector("#pdfViewer");
+      // DOM API sets src safely - no attribute injection possible
+      expect(iframe).not.toBeNull();
+      expect(popupWindow.document.querySelectorAll("script").length).toEqual(0);
+      // The iframe count should be exactly 1 (no injected elements)
+      expect(popupWindow.document.querySelectorAll("iframe").length).toEqual(1);
+    });
   }
 
   const renderBoxes = doc => {