npm - nodebb-plugin-pdf-secure - Versions diffs - 1.2.6 → 1.2.7 - Mend

nodebb-plugin-pdf-secure 1.2.6 → 1.2.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/library.js CHANGED Viewed

@@ -131,8 +131,8 @@ plugin.filterMetaTags = async (hookData) => {
 	// Filter out PDF-related meta tags
 	hookData.tags = hookData.tags.filter(tag => {
-		// Remove og:image if it contains .pdf
-		if (tag.property === 'og:image' && tag.content && tag.content.toLowerCase().includes('.pdf')) {
+		// Remove og:image and og:image:url if it contains .pdf
+		if ((tag.property === 'og:image' || tag.property === 'og:image:url') && tag.content && tag.content.toLowerCase().includes('.pdf')) {
 			return false;
 		}
 		// Remove twitter:image if it contains .pdf
@@ -154,4 +154,37 @@ plugin.filterMetaTags = async (hookData) => {
 	return hookData;
 };
+// Transform PDF links to secure placeholders (server-side)
+// This hides PDF URLs from: page source, API, RSS, ActivityPub
+plugin.transformPdfLinks = async (data) => {
+	if (!data || !data.postData || !data.postData.content) {
+		return data;
+	}
+	// Regex to match PDF links: <a href="...xxx.pdf">text</a>
+	// Captures: full URL path, filename, link text
+	const pdfLinkRegex = /<a\s+[^>]*href=["']([^"']*\/([^"'\/]+\.pdf))["'][^>]*>([^<]*)<\/a>/gi;
+	data.postData.content = data.postData.content.replace(pdfLinkRegex, (match, fullPath, filename, linkText) => {
+		// Decode filename to prevent double encoding (URL may already be encoded)
+		let decodedFilename;
+		try { decodedFilename = decodeURIComponent(filename); }
+		catch (e) { decodedFilename = filename; }
+		// Sanitize for HTML attribute
+		const safeFilename = decodedFilename.replace(/[<>"'&]/g, '');
+		const displayName = linkText.trim() || safeFilename;
+		// Return secure placeholder div instead of actual link
+		return `<div class="pdf-secure-placeholder" data-filename="${safeFilename}">
+			<svg viewBox="0 0 24 24" style="width:20px;height:20px;fill:#e81224;vertical-align:middle;margin-right:8px;">
+				<path d="M14 2H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>
+			</svg>
+			<span>${displayName}</span>
+		</div>`;
+	});
+	return data;
+};
 module.exports = plugin;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "nodebb-plugin-pdf-secure",
-  "version": "1.2.6",
+  "version": "1.2.7",
   "description": "Secure PDF viewer plugin for NodeBB - prevents downloading, enables canvas-only rendering with Premium group support",
   "main": "library.js",
   "repository": {

package/plugin.json CHANGED Viewed

@@ -18,6 +18,10 @@
 		{
 			"hook": "filter:meta.getMetaTags",
 			"method": "filterMetaTags"
+		},
+		{
+			"hook": "filter:parse.post",
+			"method": "transformPdfLinks"
 		}
 	],
 	"staticDirs": {

package/static/lib/main.js CHANGED Viewed

@@ -2,6 +2,26 @@
 // Main plugin logic - PDF links become inline embedded viewers with lazy loading + queue
 (async function () {
+	// ============================================
+	// PDF.js PRELOAD - Cache CDN assets before iframe loads
+	// ============================================
+	(function preloadPdfJs() {
+		const preloads = [
+			{ href: 'https://cdnjs.cloudflare.com/ajax/libs/pdf.js/3.11.174/pdf.min.js', as: 'script' },
+			{ href: 'https://cdnjs.cloudflare.com/ajax/libs/pdf.js/3.11.174/pdf_viewer.min.css', as: 'style' }
+		];
+		preloads.forEach(({ href, as }) => {
+			if (!document.querySelector(`link[href="${href}"]`)) {
+				const link = document.createElement('link');
+				link.rel = 'preload';
+				link.href = href;
+				link.as = as;
+				link.crossOrigin = 'anonymous';
+				document.head.appendChild(link);
+			}
+		});
+	})();
 	// Loading queue - only load one PDF at a time
 	const loadQueue = [];
 	let isLoading = false;
@@ -9,6 +29,9 @@
 	// Listen for postMessage from iframe when PDF is fully rendered
 	window.addEventListener('message', function (event) {
+		// Security: Only accept messages from same origin
+		if (event.origin !== window.location.origin) return;
 		if (event.data && event.data.type === 'pdf-secure-ready') {
 			console.log('[PDF-Secure] Queue: PDF ready -', event.data.filename);
 			if (currentResolver) {
@@ -59,8 +82,20 @@
 		var postContents = document.querySelectorAll('[component="post/content"]');
 		postContents.forEach(function (content) {
-			var pdfLinks = content.querySelectorAll('a[href$=".pdf"], a[href$=".PDF"]');
+			// NEW: Detect server-rendered secure placeholders (hides URL from source)
+			var placeholders = content.querySelectorAll('.pdf-secure-placeholder');
+			placeholders.forEach(function (placeholder) {
+				if (placeholder.dataset.pdfSecureProcessed) return;
+				placeholder.dataset.pdfSecureProcessed = 'true';
+				var filename = placeholder.dataset.filename;
+				var displayName = placeholder.querySelector('span')?.textContent || filename;
+				createPdfViewer(placeholder, filename, displayName);
+			});
+			// FALLBACK: Detect old-style PDF links (for backwards compatibility)
+			var pdfLinks = content.querySelectorAll('a[href$=".pdf"], a[href$=".PDF"]');
 			pdfLinks.forEach(function (link) {
 				if (link.dataset.pdfSecure) return;
 				link.dataset.pdfSecure = 'true';
@@ -68,112 +103,119 @@
 				var href = link.getAttribute('href');
 				var parts = href.split('/');
 				var filename = parts[parts.length - 1];
+				var displayName = link.textContent || filename;
-				// Create container
-				var container = document.createElement('div');
-				container.className = 'pdf-secure-embed';
-				container.style.cssText = 'margin:16px 0;border-radius:12px;overflow:hidden;background:#1f1f1f;border:1px solid rgba(255,255,255,0.1);box-shadow:0 4px 20px rgba(0,0,0,0.25);';
-				// Header
-				var header = document.createElement('div');
-				header.className = 'pdf-secure-embed-header';
-				header.style.cssText = 'display:flex;align-items:center;justify-content:space-between;padding:10px 16px;background:linear-gradient(135deg,#2d2d2d 0%,#252525 100%);border-bottom:1px solid rgba(255,255,255,0.08);';
-				var title = document.createElement('div');
-				title.className = 'pdf-secure-embed-title';
-				title.style.cssText = 'display:flex;align-items:center;gap:10px;color:#fff;font-size:14px;font-weight:500;';
-				var icon = document.createElementNS('http://www.w3.org/2000/svg', 'svg');
-				icon.setAttribute('viewBox', '0 0 24 24');
-				icon.style.cssText = 'width:20px;height:20px;min-width:20px;max-width:20px;fill:#e81224;flex-shrink:0;';
-				icon.innerHTML = '<path d="M14 2H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>';
-				var nameSpan = document.createElement('span');
-				nameSpan.style.cssText = 'white-space:nowrap;overflow:hidden;text-overflow:ellipsis;max-width:400px;';
-				nameSpan.textContent = decodeURIComponent(link.textContent || filename);
-				title.appendChild(icon);
-				title.appendChild(nameSpan);
-				// Actions
-				var actions = document.createElement('div');
-				actions.style.cssText = 'display:flex;gap:8px;';
-				var fullscreenBtn = document.createElement('button');
-				fullscreenBtn.className = 'pdf-secure-fullscreen-btn';
-				fullscreenBtn.title = 'Tam Ekran';
-				fullscreenBtn.style.cssText = 'display:flex;align-items:center;justify-content:center;width:32px;height:32px;background:rgba(255,255,255,0.08);border:none;border-radius:6px;cursor:pointer;';
-				var fullscreenIcon = document.createElementNS('http://www.w3.org/2000/svg', 'svg');
-				fullscreenIcon.setAttribute('viewBox', '0 0 24 24');
-				fullscreenIcon.style.cssText = 'width:18px;height:18px;min-width:18px;max-width:18px;fill:#fff;';
-				fullscreenIcon.innerHTML = '<path d="M7 14H5v5h5v-2H7v-3zm-2-4h2V7h3V5H5v5zm12 7h-3v2h5v-5h-2v3zM14 5v2h3v3h2V5h-5z"/>';
-				fullscreenBtn.appendChild(fullscreenIcon);
-				actions.appendChild(fullscreenBtn);
-				header.appendChild(title);
-				header.appendChild(actions);
-				container.appendChild(header);
-				// Body with loading placeholder
-				var iframeWrapper = document.createElement('div');
-				iframeWrapper.className = 'pdf-secure-embed-body';
-				iframeWrapper.style.cssText = 'position:relative;width:100%;height:600px;background:#525659;';
-				// Loading placeholder - ALWAYS VISIBLE until PDF ready (z-index: 10)
-				var loadingPlaceholder = document.createElement('div');
-				loadingPlaceholder.className = 'pdf-loading-placeholder';
-				loadingPlaceholder.style.cssText = 'position:absolute;top:0;left:0;right:0;bottom:0;display:flex;flex-direction:column;align-items:center;justify-content:center;background:#2d2d2d;color:#fff;gap:16px;z-index:10;transition:opacity 0.3s;';
-				loadingPlaceholder.innerHTML = `
+				createPdfViewer(link, filename, displayName);
+			});
+		});
+	}
+	function createPdfViewer(targetElement, filename, displayName) {
+		// Create container
+		var container = document.createElement('div');
+		container.className = 'pdf-secure-embed';
+		container.style.cssText = 'margin:16px 0;border-radius:12px;overflow:hidden;background:#1f1f1f;border:1px solid rgba(255,255,255,0.1);box-shadow:0 4px 20px rgba(0,0,0,0.25);';
+		// Header
+		var header = document.createElement('div');
+		header.className = 'pdf-secure-embed-header';
+		header.style.cssText = 'display:flex;align-items:center;justify-content:space-between;padding:10px 16px;background:linear-gradient(135deg,#2d2d2d 0%,#252525 100%);border-bottom:1px solid rgba(255,255,255,0.08);';
+		var title = document.createElement('div');
+		title.className = 'pdf-secure-embed-title';
+		title.style.cssText = 'display:flex;align-items:center;gap:10px;color:#fff;font-size:14px;font-weight:500;';
+		var icon = document.createElementNS('http://www.w3.org/2000/svg', 'svg');
+		icon.setAttribute('viewBox', '0 0 24 24');
+		icon.style.cssText = 'width:20px;height:20px;min-width:20px;max-width:20px;fill:#e81224;flex-shrink:0;';
+		icon.innerHTML = '<path d="M14 2H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>';
+		var nameSpan = document.createElement('span');
+		nameSpan.style.cssText = 'white-space:nowrap;overflow:hidden;text-overflow:ellipsis;max-width:400px;';
+		try { nameSpan.textContent = decodeURIComponent(displayName); }
+		catch (e) { nameSpan.textContent = displayName; }
+		title.appendChild(icon);
+		title.appendChild(nameSpan);
+		// Actions
+		var actions = document.createElement('div');
+		actions.style.cssText = 'display:flex;gap:8px;';
+		var fullscreenBtn = document.createElement('button');
+		fullscreenBtn.className = 'pdf-secure-fullscreen-btn';
+		fullscreenBtn.title = 'Tam Ekran';
+		fullscreenBtn.style.cssText = 'display:flex;align-items:center;justify-content:center;width:32px;height:32px;background:rgba(255,255,255,0.08);border:none;border-radius:6px;cursor:pointer;';
+		var fullscreenIcon = document.createElementNS('http://www.w3.org/2000/svg', 'svg');
+		fullscreenIcon.setAttribute('viewBox', '0 0 24 24');
+		fullscreenIcon.style.cssText = 'width:18px;height:18px;min-width:18px;max-width:18px;fill:#fff;';
+		fullscreenIcon.innerHTML = '<path d="M7 14H5v5h5v-2H7v-3zm-2-4h2V7h3V5H5v5zm12 7h-3v2h5v-5h-2v3zM14 5v2h3v3h2V5h-5z"/>';
+		fullscreenBtn.appendChild(fullscreenIcon);
+		actions.appendChild(fullscreenBtn);
+		header.appendChild(title);
+		header.appendChild(actions);
+		container.appendChild(header);
+		// Body with loading placeholder
+		var iframeWrapper = document.createElement('div');
+		iframeWrapper.className = 'pdf-secure-embed-body';
+		iframeWrapper.style.cssText = 'position:relative;width:100%;height:600px;background:#525659;';
+		// Loading placeholder - ALWAYS VISIBLE until PDF ready (z-index: 10)
+		var loadingPlaceholder = document.createElement('div');
+		loadingPlaceholder.className = 'pdf-loading-placeholder';
+		loadingPlaceholder.style.cssText = 'position:absolute;top:0;left:0;right:0;bottom:0;display:flex;flex-direction:column;align-items:center;justify-content:center;background:#2d2d2d;color:#fff;gap:16px;z-index:10;transition:opacity 0.3s;';
+		loadingPlaceholder.innerHTML = `
 					<svg viewBox="0 0 24 24" style="width:48px;height:48px;fill:#555;">
 						<path d="M14 2H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V8l-6-6zm4 18H6V4h7v5h5v11z"/>
 					</svg>
 					<div class="pdf-loading-text" style="font-size:14px;color:#a0a0a0;">Sırada bekliyor...</div>
 					<style>@keyframes spin{from{transform:rotate(0deg)}to{transform:rotate(360deg)}}</style>
 				`;
-				iframeWrapper.appendChild(loadingPlaceholder);
+		iframeWrapper.appendChild(loadingPlaceholder);
-				container.appendChild(iframeWrapper);
+		container.appendChild(iframeWrapper);
-				// Fullscreen handler
-				fullscreenBtn.addEventListener('click', function () {
-					var iframe = iframeWrapper.querySelector('iframe');
-					if (iframe) {
-						if (iframe.requestFullscreen) iframe.requestFullscreen();
-						else if (iframe.webkitRequestFullscreen) iframe.webkitRequestFullscreen();
+		// Fullscreen handler
+		fullscreenBtn.addEventListener('click', function () {
+			var iframe = iframeWrapper.querySelector('iframe');
+			if (iframe) {
+				if (iframe.requestFullscreen) iframe.requestFullscreen();
+				else if (iframe.webkitRequestFullscreen) iframe.webkitRequestFullscreen();
+			}
+		});
+		targetElement.replaceWith(container);
+		// LAZY LOADING with Intersection Observer + Queue
+		var observer = new IntersectionObserver(function (entries) {
+			entries.forEach(function (entry) {
+				if (entry.isIntersecting) {
+					// Update placeholder to show loading state
+					var textEl = loadingPlaceholder.querySelector('.pdf-loading-text');
+					if (textEl) textEl.textContent = 'PDF Yükleniyor...';
+					var svgEl = loadingPlaceholder.querySelector('svg');
+					if (svgEl) {
+						svgEl.style.fill = '#0078d4';
+						svgEl.style.animation = 'spin 1s linear infinite';
+						svgEl.innerHTML = '<path d="M12 4V2A10 10 0 0 0 2 12h2a8 8 0 0 1 8-8z"/>';
 					}
-				});
-				link.replaceWith(container);
-				// LAZY LOADING with Intersection Observer + Queue
-				var observer = new IntersectionObserver(function (entries) {
-					entries.forEach(function (entry) {
-						if (entry.isIntersecting) {
-							// Update placeholder to show loading state
-							var textEl = loadingPlaceholder.querySelector('.pdf-loading-text');
-							if (textEl) textEl.textContent = 'PDF Yükleniyor...';
-							var svgEl = loadingPlaceholder.querySelector('svg');
-							if (svgEl) {
-								svgEl.style.fill = '#0078d4';
-								svgEl.style.animation = 'spin 1s linear infinite';
-								svgEl.innerHTML = '<path d="M12 4V2A10 10 0 0 0 2 12h2a8 8 0 0 1 8-8z"/>';
-							}
-							// Add to queue
-							queuePdfLoad(iframeWrapper, filename, loadingPlaceholder);
-							observer.disconnect();
-						}
-					});
-				}, {
-					rootMargin: '200px',
-					threshold: 0
-				});
-				observer.observe(container);
+					// Add to queue
+					queuePdfLoad(iframeWrapper, filename, loadingPlaceholder);
+					observer.disconnect();
+				}
 			});
+		}, {
+			rootMargin: '200px',
+			threshold: 0
 		});
+		observer.observe(container);
 	}
 	function loadPdfIframe(wrapper, filename, placeholder) {

package/static/viewer.html CHANGED Viewed

@@ -1568,6 +1568,17 @@
                 } catch (err) {
                     console.error('[PDF-Secure] Auto-load error:', err);
+                    // Notify parent of error (prevents 60s queue hang)
+                    if (window.parent && window.parent !== window) {
+                        const config = window.PDF_SECURE_CONFIG || {};
+                        window.parent.postMessage({
+                            type: 'pdf-secure-ready',
+                            filename: config.filename,
+                            error: err.message
+                        }, '*');
+                    }
                     if (dropzone) {
                         dropzone.innerHTML = `
                         <svg viewBox="0 0 24 24" style="fill: #e81224;">