jsPDF HTML Injection Vulnerability in Output Methods

A critical vulnerability allowing HTML injection has been identified in jsPDF versions prior to 4.2.1. This issue arises from user control over the 'options' argument in the 'output' function, which can be exploited to inject arbitrary HTML, including scripts, into the browser context where the generated PDF is opened. The vulnerability affects several method overloads and their corresponding options, allowing attackers to execute scripts in the context of the user who opens the PDF.

Impact

Exploitation of this vulnerability allows for HTML injection, with the potential to execute scripts in the user's browser context, where the PDF is opened. This could lead to the extraction or modification of sensitive information from that context.

Reproduction

To reproduce this vulnerability, create a PDF using jsPDF version 4.2.0 or earlier. When calling the 'output' function, choose one of the vulnerable overloads: 'pdfobjectnewwindow', 'pdfjsnewwindow', or 'dataurlnewwindow'. Inject a payload into the 'filename' option or, for the 'pdfobjectnewwindow' overload, into the 'pdfObjectUrl' option. Once the PDF is generated and opened, the injected script will execute in the browser context.

Remediation

Users can update to jsPDF version 4.2.1 or later to address this vulnerability. Additionally, it is recommended to sanitize user input before passing it to the 'output' method.