fix: secure PDF viewer iframe by removing unnecessary file parameter

papphelix · papphelix · commit b8bce5aa46cb · 2026-01-13T15:52:27.000+05:30
diff --git a/lms/templates/static_pdfbook.html b/lms/templates/static_pdfbook.html
@@ -35,7 +35,7 @@
       <iframe
         title="${current_chapter.get('title')}"
         id="viewer-frame"
-        src="${request.path | n}?viewer=true${viewer_params | n}"
+        src="${request.path}?viewer=true${viewer_params}"
         width="856" height="1108" frameborder="0" tabindex="-1" seamless></iframe>
     </div>
   </div>
@@ -86,7 +86,7 @@
 
     // Load iframe without file parameter - secure approach (first time only)
     $('#viewer-frame').attr({
-      'src': '${request.path | n}?viewer=true#zoom=page-fit&disableRange=true${viewer_params | n}'
+      'src': '${request.path | n, js_escaped_string}?viewer=true${viewer_params | n, js_escaped_string}'
     }).focus();
   });
 </script>
