jsPDF icon indicating copy to clipboard operation
jsPDF copied to clipboard
verified publisher icon parallax

Allow configurable Producer field to address security concerns

Open 1234-ad opened this issue 2 months ago • 0 comments

Fix for Issue #3878: Allow setting of Producer

This PR addresses the security concern raised in issue #3878 by making the PDF Producer field configurable instead of hardcoded.

Problem

Currently, jsPDF automatically adds Producer metadata with the jsPDF version number, which can be seen as an "Information disclosure vulnerability" as mentioned in the issue.

Solution

This PR implements a configurable producer field that allows users to:

  • Set a custom producer value
  • Remove producer information entirely (for security)
  • Maintain backward compatibility (defaults to current behavior)

Changes Made

  1. Added producer to documentProperties: The producer is now a configurable property
  2. Modified putInfo function: Uses configurable producer value if set, otherwise falls back to default
  3. Backward compatibility: If no custom producer is set, behavior remains unchanged

Usage Examples

// Set custom producer
var doc = new jsPDF();
doc.setDocumentProperty('producer', 'My Custom Producer');

// Remove producer info for security
doc.setDocumentProperty('producer', '');

// Use setDocumentProperties
doc.setDocumentProperties({
  producer: 'Custom PDF Generator v1.0'
});

Files Changed

  • Added producer property to documentProperties object
  • Modified putInfo function to use configurable producer
  • Added test examples and documentation

Security Benefits

  • Allows users to remove or customize jsPDF version information
  • Addresses information disclosure vulnerability concerns
  • Maintains full backward compatibility

Fixes #3878

1234-ad avatar Oct 01 '25 16:10 1234-ad