I, newbie » Universal XSS with PDF files [これはひどい]Universal XSS with PDF files: highly dangerous It seams that PDF documents can execute JavaScript code for no apparent reason by using the following template: http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here You must understand that the attacker doesn’t need to have write access to the specified PDF document. In order to get an XSS vector working you need to have a PDF
