pdfmake 0.3.7 → 0.3.8

package/js/LayoutBuilder.js

@@ -845,11 +845,13 @@ class LayoutBuilder {
         // We store a reference of the ending cell in the first cell of the rowspan
         cell._endingCell = rowSpanRightEndingCell;
         cell._endingCell._startingRowSpanY = cell._startingRowSpanY;
+        cell._endingCell._startingRowSpanPage = cell._startingRowSpanPage;
       }
       if (rowSpanLeftEndingCell) {
         // We store a reference of the left ending cell in the first cell of the rowspan
         cell._leftEndingCell = rowSpanLeftEndingCell;
         cell._leftEndingCell._startingRowSpanY = cell._startingRowSpanY;
+        cell._leftEndingCell._startingRowSpanPage = cell._startingRowSpanPage;
       }
 
       // If we are after a cell that started a rowspan
@@ -884,7 +886,13 @@ class LayoutBuilder {
         if (dontBreakRows) {
           // Calculate how many points we have to discount to Y when dontBreakRows and rowSpan are combined
           const ctxBeforeRowSpanLastRow = this.writer.contextStack[this.writer.contextStack.length - 1];
-          discountY = ctxBeforeRowSpanLastRow.y - cell._startingRowSpanY;
+          const startsOnCurrentPage = typeof cell._startingRowSpanPage === 'number' && cell._startingRowSpanPage === ctxBeforeRowSpanLastRow.page;
+          if (startsOnCurrentPage && typeof cell._startingRowSpanY === 'number') {
+            discountY = ctxBeforeRowSpanLastRow.y - cell._startingRowSpanY;
+          }
+
+          // Do not increase Y by applying a negative discount.
+          discountY = Math.max(0, discountY);
         }
         let originalXOffset = 0;
         // If context was saved from an unbreakable block and we are not in an unbreakable block anymore
@@ -1046,6 +1054,7 @@ class LayoutBuilder {
         tableNode.table.body[i].forEach(cell => {
           if (cell.rowSpan && cell.rowSpan > 1) {
             cell._startingRowSpanY = this.writer.context().y;
+            cell._startingRowSpanPage = this.writer.context().page;
           }
         });
       }

package/js/PDFDocument.js

@@ -3,6 +3,7 @@
 exports.__esModule = true;
 exports.default = void 0;
 var _pdfkit = _interopRequireDefault(require("pdfkit"));
+var _variableType = require("./helpers/variableType");
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
 const typeName = (bold, italics) => {
   let type = 'normal';
@@ -16,7 +17,7 @@ const typeName = (bold, italics) => {
   return type;
 };
 class PDFDocument extends _pdfkit.default {
-  constructor(fonts = {}, images = {}, patterns = {}, attachments = {}, options = {}, virtualfs = null) {
+  constructor(fonts = {}, images = {}, patterns = {}, attachments = {}, options = {}, virtualfs = null, localAccessPolicy = undefined) {
     super(options);
     this.fonts = {};
     this.fontCache = {};
@@ -41,6 +42,7 @@ class PDFDocument extends _pdfkit.default {
     this.images = images;
     this.attachments = attachments;
     this.virtualfs = virtualfs;
+    this.localAccessPolicy = localAccessPolicy;
   }
   getFontType(bold, italics) {
     return typeName(bold, italics);
@@ -65,6 +67,8 @@ class PDFDocument extends _pdfkit.default {
       }
       if (this.virtualfs && this.virtualfs.existsSync(def[0])) {
         def[0] = this.virtualfs.readFileSync(def[0]);
+      } else {
+        this.validateLocalFile(def[0]);
       }
       this.fontCache[familyName][type] = this.font(...def)._font;
     }
@@ -89,8 +93,10 @@ class PDFDocument extends _pdfkit.default {
       return this._imageRegistry[src];
     }
     let image;
+    let imageSrc = realImageSrc(src);
+    this.validateLocalFile(imageSrc);
     try {
-      image = this.openImage(realImageSrc(src));
+      image = this.openImage(imageSrc);
       if (!image) {
         throw new Error('No image');
       }
@@ -131,8 +137,19 @@ class PDFDocument extends _pdfkit.default {
     if (this.virtualfs && this.virtualfs.existsSync(attachment.src)) {
       return this.virtualfs.readFileSync(attachment.src);
     }
+    this.validateLocalFile(attachment.src);
     return attachment;
   }
+  resolveColor(color, defaultColor) {
+    color = color || defaultColor;
+    if (typeof this._normalizeColor === 'function') {
+      if ((0, _variableType.isString)(color) && this._normalizeColor(color) === null) {
+        // color is not valid
+        return defaultColor;
+      }
+    }
+    return color;
+  }
   setOpenActionAsPrint() {
     let printActionRef = this.ref({
       Type: 'Action',
@@ -142,5 +159,23 @@ class PDFDocument extends _pdfkit.default {
     this._root.data.OpenAction = printActionRef;
     printActionRef.end();
   }
+  file(src, options = {}) {
+    this.validateLocalFile(src);
+    return super.file(src, options);
+  }
+  validateLocalFile(path) {
+    if (typeof this.localAccessPolicy === 'undefined') {
+      return;
+    }
+    if (!(0, _variableType.isString)(path)) {
+      return;
+    }
+    if (/^data:/.test(path)) {
+      return;
+    }
+    if (this.localAccessPolicy(path) !== true) {
+      throw new Error(`Access to local file denied by resource access policy: ${path}`);
+    }
+  }
 }
 var _default = exports.default = PDFDocument;

package/js/Printer.js

@@ -16,11 +16,13 @@ class PdfPrinter {
    * @param {object} fontDescriptors font definition dictionary
    * @param {object} virtualfs
    * @param {object} urlResolver
+   * @param {(path: string) => boolean} localAccessPolicy
    */
-  constructor(fontDescriptors, virtualfs, urlResolver) {
+  constructor(fontDescriptors, virtualfs, urlResolver, localAccessPolicy) {
     this.fontDescriptors = fontDescriptors;
     this.virtualfs = virtualfs;
     this.urlResolver = urlResolver;
+    this.localAccessPolicy = localAccessPolicy;
   }
 
   /**
@@ -66,7 +68,7 @@ class PdfPrinter {
       info: createMetadata(docDefinition),
       font: null
     };
-    this.pdfKitDoc = new _PDFDocument.default(this.fontDescriptors, docDefinition.images, docDefinition.patterns, docDefinition.attachments, pdfOptions, this.virtualfs);
+    this.pdfKitDoc = new _PDFDocument.default(this.fontDescriptors, docDefinition.images, docDefinition.patterns, docDefinition.attachments, pdfOptions, this.virtualfs, this.localAccessPolicy);
     embedFiles(docDefinition, this.pdfKitDoc);
     const builder = new _LayoutBuilder.default(pageSize, (0, _PageSize.normalizePageMargin)(docDefinition.pageMargins), new _SVGMeasure.default());
     builder.registerTableLayouts(_tableLayouts.tableLayouts);

package/js/Renderer.js

@@ -171,7 +171,7 @@ class Renderer {
       }
       let opacity = (0, _variableType.isNumber)(inline.opacity) ? inline.opacity : 1;
       this.pdfDocument.opacity(opacity);
-      this.pdfDocument.fill(inline.color || 'black');
+      this.pdfDocument.fill(this.pdfDocument.resolveColor(inline.color, 'black'));
       this.pdfDocument._font = inline.font;
       this.pdfDocument.fontSize(inline.fontSize);
       let shiftedY = offsetText(y + shiftToBaseline, inline);
@@ -264,14 +264,14 @@ class Renderer {
     let fillOpacity = (0, _variableType.isNumber)(vector.fillOpacity) ? vector.fillOpacity : 1;
     let strokeOpacity = (0, _variableType.isNumber)(vector.strokeOpacity) ? vector.strokeOpacity : 1;
     if (vector.color && vector.lineColor) {
-      this.pdfDocument.fillColor(vector.color, fillOpacity);
-      this.pdfDocument.strokeColor(vector.lineColor, strokeOpacity);
+      this.pdfDocument.fillColor(this.pdfDocument.resolveColor(vector.color, 'black'), fillOpacity);
+      this.pdfDocument.strokeColor(this.pdfDocument.resolveColor(vector.lineColor, 'black'), strokeOpacity);
       this.pdfDocument.fillAndStroke();
     } else if (vector.color) {
-      this.pdfDocument.fillColor(vector.color, fillOpacity);
+      this.pdfDocument.fillColor(this.pdfDocument.resolveColor(vector.color, 'black'), fillOpacity);
       this.pdfDocument.fill();
     } else {
-      this.pdfDocument.strokeColor(vector.lineColor || 'black', strokeOpacity);
+      this.pdfDocument.strokeColor(this.pdfDocument.resolveColor(vector.lineColor, 'black'), strokeOpacity);
       this.pdfDocument.stroke();
     }
   }
@@ -411,7 +411,7 @@ class Renderer {
   }
   renderWatermark(page) {
     let watermark = page.watermark;
-    this.pdfDocument.fill(watermark.color);
+    this.pdfDocument.fill(this.pdfDocument.resolveColor(watermark.color, 'black'));
     this.pdfDocument.opacity(watermark.opacity);
     this.pdfDocument.save();
     this.pdfDocument.rotate(watermark.angle, {

package/js/TableProcessor.js

@@ -5,9 +5,17 @@ exports.default = void 0;
 var _columnCalculator = _interopRequireDefault(require("./columnCalculator"));
 var _variableType = require("./helpers/variableType");
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
+const PAGE_BREAK_VALUES = new Set(['before', 'beforeOdd', 'beforeEven', 'after', 'afterOdd', 'afterEven']);
+const hasExplicitPageBreak = cell => {
+  if (!cell || typeof cell !== 'object') {
+    return false;
+  }
+  return PAGE_BREAK_VALUES.has(cell.pageBreak);
+};
 class TableProcessor {
   constructor(tableNode) {
     this.tableNode = tableNode;
+    this._isCurrentRowUnbreakable = false;
   }
   beginTable(writer) {
     const getTableInnerContentWidth = () => {
@@ -146,7 +154,10 @@ class TableProcessor {
       writer.context().moveDown(this.topLineWidth);
     }
     this.rowTopPageY = writer.context().y + this.rowPaddingTop;
-    if (this.dontBreakRows && rowIndex > 0) {
+    const rowCells = this.tableNode.table.body[rowIndex] || [];
+    const rowHasPageBreak = rowCells.some(hasExplicitPageBreak);
+    this._isCurrentRowUnbreakable = this.dontBreakRows && rowIndex > 0 && !rowHasPageBreak;
+    if (this._isCurrentRowUnbreakable) {
       writer.beginUnbreakableBlock();
     }
     this.rowTopY = writer.context().y;
@@ -536,7 +547,8 @@ class TableProcessor {
     if (this.headerRows && rowIndex === this.headerRows - 1) {
       this.headerRepeatable = writer.currentBlockToRepeatable();
     }
-    if (this.dontBreakRows) {
+    const shouldCommitCurrentRowUnbreakable = this.dontBreakRows && (rowIndex === 0 || this._isCurrentRowUnbreakable);
+    if (shouldCommitCurrentRowUnbreakable) {
       const pageChangedCallback = () => {
         if (rowIndex > 0 && !this.headerRows && this.layout.hLineWhenBroken !== false) {
           // Draw the top border of the row after a page break
@@ -547,6 +559,7 @@ class TableProcessor {
       writer.commitUnbreakableBlock();
       writer.removeListener('pageChanged', pageChangedCallback);
     }
+    this._isCurrentRowUnbreakable = false;
     if (this.headerRepeatable && (rowIndex === this.rowsWithoutPageBreak - 1 || rowIndex === this.tableNode.table.body.length - 1)) {
       writer.commitUnbreakableBlock();
       writer.pushToRepeatables(this.headerRepeatable);

package/js/TextDecorator.js

@@ -3,7 +3,7 @@
 exports.__esModule = true;
 exports.default = void 0;
 var _variableType = require("./helpers/variableType");
-const groupDecorations = line => {
+const groupDecorations = (line, pdfDocument) => {
   let groups = [];
   let currentGroup = null;
   for (let i = 0, l = line.inlines.length; i < l; i++) {
@@ -16,7 +16,7 @@ const groupDecorations = line => {
     if (!Array.isArray(decoration)) {
       decoration = [decoration];
     }
-    let color = inline.decorationColor || inline.color || 'black';
+    let color = pdfDocument.resolveColor(pdfDocument.resolveColor(inline.decorationColor, inline.color), 'black');
     let style = inline.decorationStyle || 'solid';
     let thickness = (0, _variableType.isNumber)(inline.decorationThickness) ? inline.decorationThickness : null;
     for (let ii = 0, ll = decoration.length; ii < ll; ii++) {
@@ -46,10 +46,10 @@ class TextDecorator {
     let height = line.getHeight();
     for (let i = 0, l = line.inlines.length; i < l; i++) {
       let inline = line.inlines[i];
-      if (!inline.background) {
+      let color = this.pdfDocument.resolveColor(inline.background, undefined);
+      if (!color) {
         continue;
       }
-      let color = inline.background;
       let patternColor = this.pdfDocument.providePattern(inline.background);
       if (patternColor !== null) {
         color = patternColor;
@@ -59,7 +59,7 @@ class TextDecorator {
     }
   }
   drawDecorations(line, x, y) {
-    let groups = groupDecorations(line);
+    let groups = groupDecorations(line, this.pdfDocument);
     for (let i = 0, l = groups.length; i < l; i++) {
       this._drawDecoration(groups[i], x, y);
     }

package/js/URLResolver.js

@@ -2,20 +2,52 @@
 
 exports.__esModule = true;
 exports.default = void 0;
-async function fetchUrl(url, headers = {}) {
-  try {
-    const response = await fetch(url, {
-      headers
-    });
-    if (!response.ok) {
-      throw new Error(`Failed to fetch (status code: ${response.status}, url: "${url}")`);
+const MAX_REDIRECTS = 30;
+
+/**
+ * @param {string} url
+ * @param {object} headers
+ * @param {(url: string) => boolean} urlAccessPolicy
+ * @returns {Promise<Response>}
+ */
+async function fetchUrl(url, headers = {}, urlAccessPolicy) {
+  for (let i = 0; i <= MAX_REDIRECTS; i++) {
+    if (typeof urlAccessPolicy !== 'undefined' && urlAccessPolicy(url) !== true) {
+      throw new Error(`Access to URL denied by resource access policy: ${url}`);
+    }
+    try {
+      let response = await fetch(url, {
+        headers,
+        redirect: 'manual'
+      });
+
+      // redirect url
+      if (response.status >= 300 && response.status < 400) {
+        let location = response.headers.get('location');
+        if (!location) {
+          throw new Error('Redirect response missing Location header');
+        }
+        url = new URL(location, url).href;
+        continue;
+      }
+
+      // browsers do not support redirect: 'manual'
+      if (response.type === 'opaqueredirect') {
+        response = await fetch(url, {
+          headers
+        });
+      }
+      if (!response.ok) {
+        throw new Error(`Failed to fetch (status code: ${response.status})`);
+      }
+      return response;
+    } catch (error) {
+      throw new Error(`Network request failed (url: "${url}", error: ${error.message})`, {
+        cause: error
+      });
     }
-    return await response.arrayBuffer();
-  } catch (error) {
-    throw new Error(`Network request failed (url: "${url}", error: ${error.message})`, {
-      cause: error
-    });
   }
+  throw new Error(`Network request failed (url: "${url}", error: Too many redirects)`);
 }
 class URLResolver {
   constructor(fs) {
@@ -36,10 +68,15 @@ class URLResolver {
         if (this.fs.existsSync(url)) {
           return; // url was downloaded earlier
         }
-        if (typeof this.urlAccessPolicy !== 'undefined' && this.urlAccessPolicy(url) !== true) {
-          throw new Error(`Access to URL denied by resource access policy: ${url}`);
+        const response = await fetchUrl(url, headers, this.urlAccessPolicy);
+
+        // validate access policy on redirected url (in browsers, only the final URL is validated)
+        if (response.redirected) {
+          if (typeof this.urlAccessPolicy !== 'undefined' && this.urlAccessPolicy(response.url) !== true) {
+            throw new Error(`Access to URL denied by resource access policy: ${response.url}`);
+          }
         }
-        const buffer = await fetchUrl(url, headers);
+        const buffer = await response.arrayBuffer();
         this.fs.writeFileSync(url, buffer);
       }
       // else cannot be resolved

package/js/base.js

@@ -12,6 +12,7 @@ class pdfmake {
   constructor() {
     this.virtualfs = _virtualFs.default;
     this.urlAccessPolicy = undefined;
+    this.localAccessPolicy = undefined;
   }
 
   /**
@@ -32,9 +33,12 @@ class pdfmake {
     if (typeof this.urlAccessPolicy === 'undefined' && isServer) {
       console.warn('No URL access policy defined. Consider using setUrlAccessPolicy() to restrict external resource downloads.');
     }
+    if (typeof this.localAccessPolicy === 'undefined' && isServer) {
+      console.warn('No local access policy defined. Consider using setLocalAccessPolicy() to restrict local file system access.');
+    }
     let urlResolver = new _URLResolver.default(this.virtualfs);
     urlResolver.setUrlAccessPolicy(this.urlAccessPolicy);
-    let printer = new _Printer.default(this.fonts, this.virtualfs, urlResolver);
+    let printer = new _Printer.default(this.fonts, this.virtualfs, urlResolver, this.localAccessPolicy);
     const pdfDocumentPromise = printer.createPdfKitDocument(docDefinition, options);
     return this._transformToDocument(pdfDocumentPromise);
   }

package/js/index.js

@@ -6,6 +6,16 @@ class pdfmake extends pdfmakeBase {
   constructor() {
     super();
   }
+
+  /**
+   * @param {(path: string) => boolean} callback
+   */
+  setLocalAccessPolicy(callback) {
+    if (callback !== undefined && typeof callback !== 'function') {
+      throw new Error("Parameter 'callback' has an invalid type. Function or undefined expected.");
+    }
+    this.localAccessPolicy = callback;
+  }
   _transformToDocument(doc) {
     return new OutputDocumentServer(doc);
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pdfmake",
-  "version": "0.3.7",
+  "version": "0.3.8",
   "description": "Client/server side PDF printing in pure JavaScript",
   "main": "js/index.js",
   "esnext": "src/index.js",
@@ -17,7 +17,7 @@
     "@babel/cli": "^7.28.6",
     "@babel/core": "^7.29.0",
     "@babel/plugin-transform-modules-commonjs": "^7.28.6",
-    "@babel/preset-env": "^7.29.2",
+    "@babel/preset-env": "^7.29.5",
     "@eslint/js": "^10.0.1",
     "assert": "^2.1.0",
     "babel-loader": "^10.1.1",
@@ -25,25 +25,25 @@
     "browserify-zlib": "^0.2.0",
     "buffer": "^6.0.3",
     "core-js": "^3.49.0",
-    "eslint": "^10.0.3",
-    "eslint-plugin-jsdoc": "^62.8.0",
+    "eslint": "^10.3.0",
+    "eslint-plugin-jsdoc": "^62.9.0",
     "expose-loader": "^5.0.1",
     "file-saver": "^2.0.5",
-    "globals": "^17.4.0",
+    "globals": "^17.6.0",
     "mocha": "^11.7.5",
     "npm-run-all": "^4.1.5",
     "process": "^0.11.10",
     "rewire": "^9.0.1",
     "shx": "^0.4.0",
-    "sinon": "^21.0.3",
+    "sinon": "^22.0.0",
     "source-map-loader": "^5.0.0",
     "stream-browserify": "^3.0.0",
     "string-replace-webpack-plugin": "^0.1.3",
     "svg-to-pdfkit": "github:alafr/SVG-to-PDFKit#b091ebd4e7b7d2310eb1003511cd5de480f7e0e1",
-    "terser-webpack-plugin": "^5.4.0",
+    "terser-webpack-plugin": "^5.5.0",
     "transform-loader": "^0.2.4",
     "util": "^0.12.5",
-    "webpack": "^5.105.4",
+    "webpack": "^5.106.2",
     "webpack-cli": "^7.0.2"
   },
   "engines": {

package/src/LayoutBuilder.js

@@ -942,11 +942,13 @@ class LayoutBuilder {
 				// We store a reference of the ending cell in the first cell of the rowspan
 				cell._endingCell = rowSpanRightEndingCell;
 				cell._endingCell._startingRowSpanY = cell._startingRowSpanY;
+				cell._endingCell._startingRowSpanPage = cell._startingRowSpanPage;
 			}
 			if (rowSpanLeftEndingCell) {
 				// We store a reference of the left ending cell in the first cell of the rowspan
 				cell._leftEndingCell = rowSpanLeftEndingCell;
 				cell._leftEndingCell._startingRowSpanY = cell._startingRowSpanY;
+				cell._leftEndingCell._startingRowSpanPage = cell._startingRowSpanPage;
 			}
 
 			// If we are after a cell that started a rowspan
@@ -984,7 +986,17 @@ class LayoutBuilder {
 				if (dontBreakRows) {
 					// Calculate how many points we have to discount to Y when dontBreakRows and rowSpan are combined
 					const ctxBeforeRowSpanLastRow = this.writer.contextStack[this.writer.contextStack.length - 1];
-					discountY = ctxBeforeRowSpanLastRow.y - cell._startingRowSpanY;
+					const startsOnCurrentPage = (
+						typeof cell._startingRowSpanPage === 'number' &&
+						cell._startingRowSpanPage === ctxBeforeRowSpanLastRow.page
+					);
+
+					if (startsOnCurrentPage && typeof cell._startingRowSpanY === 'number') {
+						discountY = ctxBeforeRowSpanLastRow.y - cell._startingRowSpanY;
+					}
+
+					// Do not increase Y by applying a negative discount.
+					discountY = Math.max(0, discountY);
 				}
 				let originalXOffset = 0;
 				// If context was saved from an unbreakable block and we are not in an unbreakable block anymore
@@ -1170,6 +1182,7 @@ class LayoutBuilder {
 				tableNode.table.body[i].forEach(cell => {
 					if (cell.rowSpan && cell.rowSpan > 1) {
 						cell._startingRowSpanY = this.writer.context().y;
+						cell._startingRowSpanPage = this.writer.context().page;
 					}
 				});
 			}

package/src/PDFDocument.js

@@ -1,4 +1,5 @@
 import PDFKit from 'pdfkit';
+import { isString } from './helpers/variableType';
 
 const typeName = (bold, italics) => {
 	let type = 'normal';
@@ -13,7 +14,7 @@ const typeName = (bold, italics) => {
 };
 
 class PDFDocument extends PDFKit {
-	constructor(fonts = {}, images = {}, patterns = {}, attachments = {}, options = {}, virtualfs = null) {
+	constructor(fonts = {}, images = {}, patterns = {}, attachments = {}, options = {}, virtualfs = null, localAccessPolicy = undefined) {
 		super(options);
 
 		this.fonts = {};
@@ -39,10 +40,10 @@ class PDFDocument extends PDFKit {
 			}
 		}
 
-
 		this.images = images;
 		this.attachments = attachments;
 		this.virtualfs = virtualfs;
+		this.localAccessPolicy = localAccessPolicy;
 	}
 
 	getFontType(bold, italics) {
@@ -74,6 +75,8 @@ class PDFDocument extends PDFKit {
 
 			if (this.virtualfs && this.virtualfs.existsSync(def[0])) {
 				def[0] = this.virtualfs.readFileSync(def[0]);
+			} else {
+				this.validateLocalFile(def[0]);
 			}
 
 			this.fontCache[familyName][type] = this.font(...def)._font;
@@ -108,8 +111,12 @@ class PDFDocument extends PDFKit {
 
 		let image;
 
+		let imageSrc = realImageSrc(src);
+
+		this.validateLocalFile(imageSrc);
+
 		try {
-			image = this.openImage(realImageSrc(src));
+			image = this.openImage(imageSrc);
 			if (!image) {
 				throw new Error('No image');
 			}
@@ -157,9 +164,23 @@ class PDFDocument extends PDFKit {
 			return this.virtualfs.readFileSync(attachment.src);
 		}
 
+		this.validateLocalFile(attachment.src);
+
 		return attachment;
 	}
 
+	resolveColor(color, defaultColor) {
+		color = color || defaultColor;
+
+		if (typeof this._normalizeColor === 'function') {
+			if (isString(color) && this._normalizeColor(color) === null) { // color is not valid
+				return defaultColor;
+			}
+		}
+
+		return color;
+	}
+
 	setOpenActionAsPrint() {
 		let printActionRef = this.ref({
 			Type: 'Action',
@@ -169,6 +190,30 @@ class PDFDocument extends PDFKit {
 		this._root.data.OpenAction = printActionRef;
 		printActionRef.end();
 	}
+
+	file(src, options = {}) {
+		this.validateLocalFile(src);
+
+		return super.file(src, options);
+	}
+
+	validateLocalFile(path) {
+		if (typeof this.localAccessPolicy === 'undefined') {
+			return;
+		}
+
+		if (!isString(path)) {
+			return;
+		}
+
+		if (/^data:/.test(path)) {
+			return;
+		}
+
+		if (this.localAccessPolicy(path) !== true) {
+			throw new Error(`Access to local file denied by resource access policy: ${path}`);
+		}
+	}
 }
 
 export default PDFDocument;

package/src/Printer.js

@@ -13,11 +13,13 @@ class PdfPrinter {
 	 * @param {object} fontDescriptors font definition dictionary
 	 * @param {object} virtualfs
 	 * @param {object} urlResolver
+	 * @param {(path: string) => boolean} localAccessPolicy
 	 */
-	constructor(fontDescriptors, virtualfs, urlResolver) {
+	constructor(fontDescriptors, virtualfs, urlResolver, localAccessPolicy) {
 		this.fontDescriptors = fontDescriptors;
 		this.virtualfs = virtualfs;
 		this.urlResolver = urlResolver;
+		this.localAccessPolicy = localAccessPolicy;
 	}
 
 	/**
@@ -69,7 +71,7 @@ class PdfPrinter {
 			font: null
 		};
 
-		this.pdfKitDoc = new PDFDocument(this.fontDescriptors, docDefinition.images, docDefinition.patterns, docDefinition.attachments, pdfOptions, this.virtualfs);
+		this.pdfKitDoc = new PDFDocument(this.fontDescriptors, docDefinition.images, docDefinition.patterns, docDefinition.attachments, pdfOptions, this.virtualfs, this.localAccessPolicy);
 		embedFiles(docDefinition, this.pdfKitDoc);
 
 		const builder = new LayoutBuilder(pageSize, normalizePageMargin(docDefinition.pageMargins), new SVGMeasure());

package/src/Renderer.js

@@ -188,7 +188,7 @@ class Renderer {
 
 			let opacity = isNumber(inline.opacity) ? inline.opacity : 1;
 			this.pdfDocument.opacity(opacity);
-			this.pdfDocument.fill(inline.color || 'black');
+			this.pdfDocument.fill(this.pdfDocument.resolveColor(inline.color, 'black'));
 
 			this.pdfDocument._font = inline.font;
 			this.pdfDocument.fontSize(inline.fontSize);
@@ -287,14 +287,14 @@ class Renderer {
 		let strokeOpacity = isNumber(vector.strokeOpacity) ? vector.strokeOpacity : 1;
 
 		if (vector.color && vector.lineColor) {
-			this.pdfDocument.fillColor(vector.color, fillOpacity);
-			this.pdfDocument.strokeColor(vector.lineColor, strokeOpacity);
+			this.pdfDocument.fillColor(this.pdfDocument.resolveColor(vector.color, 'black'), fillOpacity);
+			this.pdfDocument.strokeColor(this.pdfDocument.resolveColor(vector.lineColor, 'black'), strokeOpacity);
 			this.pdfDocument.fillAndStroke();
 		} else if (vector.color) {
-			this.pdfDocument.fillColor(vector.color, fillOpacity);
+			this.pdfDocument.fillColor(this.pdfDocument.resolveColor(vector.color, 'black'), fillOpacity);
 			this.pdfDocument.fill();
 		} else {
-			this.pdfDocument.strokeColor(vector.lineColor || 'black', strokeOpacity);
+			this.pdfDocument.strokeColor(this.pdfDocument.resolveColor(vector.lineColor, 'black'), strokeOpacity);
 			this.pdfDocument.stroke();
 		}
 	}
@@ -436,7 +436,7 @@ class Renderer {
 	renderWatermark(page) {
 		let watermark = page.watermark;
 
-		this.pdfDocument.fill(watermark.color);
+		this.pdfDocument.fill(this.pdfDocument.resolveColor(watermark.color, 'black'));
 		this.pdfDocument.opacity(watermark.opacity);
 
 		this.pdfDocument.save();