From 469f34ac9e6d4980e1d3c2884a8c3230030ecf33 Mon Sep 17 00:00:00 2001
From: Ryan Elliott <ryan.elliott@workiva.com>
Date: Wed, 8 Jan 2025 10:30:26 -0700
Subject: [PATCH] [INTRISK-83943] default isEvalSupported to false (#184)

* default isEvalSupported to false

* formatting

* remove public setter
---
 lib/src/document_init_parameters.dart | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/src/document_init_parameters.dart b/lib/src/document_init_parameters.dart
index ce836df..59bc385 100644
--- a/lib/src/document_init_parameters.dart
+++ b/lib/src/document_init_parameters.dart
@@ -26,6 +26,10 @@ class DocumentInitParameters {
 
   DocumentInitParameters() {
     _jsInternal = JsObject.jsify({});
+
+    // https://www.cisecurity.org/advisory/a-vulnerability-in-mozilla-pdfjs-could-allow-for-arbitrary-code-execution_2024-046
+    // Vulnerability in Mozilla PDF.js Could Allow for Arbitrary Code Execution when isEvalSupported is set to true for PDF.js versions prior to 4.2.67.
+    _jsInternal?['isEvalSupported'] = false;
   }
 
   TypedData? get data => _jsInternal?['data'] as TypedData?;