Skip to content

Commit 9e729d6

Browse files
fchasenfchasen
authored
Merge pull request #1222 from futurepress/disable_scripts
Add iframe sandboxing and allowScriptedContent option
2 parents f632df7 + ab4dd46 commit 9e729d6

File tree

8 files changed

+18828
-28
lines changed

8 files changed

+18828
-28
lines changed

README.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,26 @@ Scrolled: `book.renderTo("area", { flow: "scrolled-doc" });`
8888

8989
[View example](http://futurepress.github.io/epub.js/examples/scrolled.html)
9090

91+
## Scripted Content
92+
93+
[Scripted content](https://www.w3.org/TR/epub-33/#sec-scripted-content), JavasScript the ePub HTML content, is disabled by default due to the potential for executing malicious content.
94+
95+
This is done by sandboxing the iframe the content is rendered into, though it is still recommened to santize the ePub content server-side as well.
96+
97+
If a trusted ePub contains interactivity, it can be enabled by passing `allowScriptedContent: true` to the `Rendition` settings.
98+
99+
```html
100+
<script>
101+
var rendition = book.renderTo("area", {
102+
width: 600,
103+
height: 400,
104+
allowScriptedContent: true
105+
});
106+
</script>
107+
```
108+
109+
This will allow the sandboxed content to run scripts, but currently makes the sandbox insecure.
110+
91111
## Documentation
92112

93113
API documentation is available at [epubjs.org/documentation/0.3/](http://epubjs.org/documentation/0.3/)

0 commit comments

Comments
 (0)