SaralynBegginer

Asked: April 15, 20252025-04-15T04:46:55+00:00 2025-04-15T04:46:55+00:00In: PHP

XSS Inside .pdf in PHP when return inline

I have an web app using PHP Laravel and user can upload file .pdf attachment. I already checked the file mimetype and format. But i have this xss hidden in pdf file. When i test uploading the pdf file and opening that pdf. the xss is executed because i’m using inline return to preview the pdf.

Is xss inside pdf is dangerous? what are my steps to secure it? all i know is to return the file as downloaded file. Currently I’m using shared hosting so there is no terminal access to sanitize the file

%PDF-1.3
%    
1 0 obj
<>
endobj
2 0 obj
<>
endobj
3 0 obj
<>>>
  /Annots [] /Contents 4 0 R /MediaBox [0 0 612 792] /Parent 2 0 R
  /Resources
  <>>>>>
  /Type /Page>>
endobj
4 0 obj
<>
stream

BT
/F1 24 Tf
ET
    
endstream
endobj
xref
0 5
0000000000 65535 f
0000000015 00000 n
0000000062 00000 n
0000000117 00000 n
0000000424 00000 n
trailer

<>
startxref
493
%%EOF

This is the pdf code, i open it in notepad and save as .pdf

Thanks in advance

I add mimetype validation, the only working way is to send the file and force the user to download

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

What is Physics? Definition, History, Importance, Scope (Class 11)

The Living World – Introduction, Classification, Characteristics, FAQs (Class 11 ...

Explain - Biological Classification (Class 11 - Biology)

Sign Up

Sign In

Forgot Password

StackOverflow Latest Questions

XSS Inside .pdf in PHP when return inline

Leave an answerCancel reply

Leave an answer
Cancel reply