npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

secure-pdf-viewer-react

v1.0.0

Published

Secure PDF viewer for React - Canvas-only rendering prevents XSS attacks from malicious PDFs

Downloads

102

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

xilonngxilonng

Keywords

pdfviewerreactsecurecanvasxss-preventionpdf-viewer

Readme

secure-pdf-viewer-react

A secure PDF viewer component for React. Uses canvas-only rendering to prevent XSS attacks from malicious PDF files.

Why?

Standard PDF viewers that render text layers and annotation layers into the DOM are vulnerable to XSS attacks embedded in crafted PDF files. This component renders PDF pages exclusively to <canvas> elements, eliminating all DOM injection vectors.

Installation

npm install secure-pdf-viewer-react pdfjs-dist

Quick Start

Load from URL

import { SecurePdfViewer } from 'secure-pdf-viewer-react';

function App() {
  return (
    <div style={{ width: '100%', height: '100vh' }}>
      <SecurePdfViewer src="https://example.com/document.pdf" />
    </div>
  );
}

Load from File Upload

import { useState } from 'react';
import { SecurePdfViewer } from 'secure-pdf-viewer-react';

function App() {
  const [file, setFile] = useState<File | undefined>();

  return (
    <div>
      <input
        type="file"
        accept=".pdf"
        onChange={(e) => setFile(e.target.files?.[0])}
      />
      {file && <SecurePdfViewer file={file} />}
    </div>
  );
}

Load from ArrayBuffer

import { SecurePdfViewer } from 'secure-pdf-viewer-react';

function App({ pdfData }: { pdfData: ArrayBuffer }) {
  return <SecurePdfViewer data={pdfData} />;
}

Using Ref Methods

import { useRef } from 'react';
import { SecurePdfViewer, SecurePdfViewerRef } from 'secure-pdf-viewer-react';

function App() {
  const viewerRef = useRef<SecurePdfViewerRef>(null);

  const jumpToPage5 = () => viewerRef.current?.goToPage(5);
  const getInfo = () => console.log(viewerRef.current?.getState());

  return (
    <div>
      <button onClick={jumpToPage5}>Go to Page 5</button>
      <button onClick={getInfo}>Log State</button>
      <SecurePdfViewer ref={viewerRef} src="/document.pdf" />
    </div>
  );
}

Props

| Prop | Type | Default | Description | |------|------|---------|-------------| | src | string | — | URL of the PDF file | | file | File | — | File object (from <input type="file">) | | data | ArrayBuffer \| Uint8Array | — | Raw PDF data | | initialScale | number | 1.0 | Initial zoom level | | minScale | number | 0.25 | Minimum zoom level | | maxScale | number | 5.0 | Maximum zoom level | | showToolbar | boolean | true | Show the built-in toolbar | | className | string | '' | CSS class for the container | | style | CSSProperties | — | Inline styles for the container | | workerSrc | string | — | Custom path to pdf.worker.min.mjs | | pixelRatio | number | devicePixelRatio | Device pixel ratio for rendering | | disableDownload | boolean | false | Disable the download button |

Note: Provide exactly one of src, file, or data.

Callbacks

| Callback | Signature | Description | |----------|-----------|-------------| | onLoadStateChange | (state: 'idle' \| 'loading' \| 'ready' \| 'error') => void | Fires when load state changes | | onPageChange | (page: number, totalPages: number) => void | Fires when the current page changes | | onScaleChange | (scale: number) => void | Fires when the zoom level changes | | onError | (error: Error) => void | Fires when an error occurs |

Ref Methods

Access these via a React ref (useRef<SecurePdfViewerRef>):

| Method | Signature | Description | |--------|-----------|-------------| | goToPage | (page: number) => void | Navigate to a specific page | | setScale | (scale: number) => void | Set the zoom level | | getState | () => { currentPage, totalPages, scale } | Get current viewer state |

Security Features

This component enforces multiple layers of security:

  1. Canvas-only rendering — PDF pages are rasterized to <canvas>. No textLayer or annotationLayer DOM elements are created, eliminating all XSS injection vectors.
  2. JavaScript execution disabledisEvalSupported: false prevents PDF.js from executing any JavaScript embedded in PDF files.
  3. External resource blockingdisableAutoFetch: true blocks external resource loading, preventing SSRF attacks.
  4. Font injection preventiondisableFontFace: true blocks @font-face CSS injection from PDF fonts.

Worker Configuration

For production use, place pdf.worker.min.mjs from the pdfjs-dist package in your public directory and pass its path via the workerSrc prop:

<SecurePdfViewer
  src="/document.pdf"
  workerSrc="/pdf.worker.min.mjs"
/>

This avoids relying on the CDN fallback and ensures CSP compliance.

Keyboard Shortcuts

| Key | Action | |-----|--------| | Arrow Left / Up | Previous page | | Arrow Right / Down | Next page | | Ctrl + + | Zoom in | | Ctrl + - | Zoom out |

License

MIT - see LICENSE for details.