Chapter 14, Security, Control, and Digital Signatures
XFA Specification
Respecting External References in Image Data and Rich Text
402
Example 14.1 Submitting event that sends the template and data to the target server
<subform … >
<field … >
<event activity="click" … >
<submit format="xdp" xdpContent="template datasets" … />
</event>
</field>
</subform>
If an XFA template includes a UUID and time stamp and that template is submitted to a server, the UUID
and time stamp are included in the XDP or PDF created for that template.
Respecting External References in Image Data and Rich Text
External references may appear in data supplied to the XFA processing application in the following forms:
●
Referenced images, where the reference is represented as an
href
specification (“Image
Embedded references in rich text, where the reference is represented as an
xfa:embed
, where the
adjacent
xfa:embedType
is set to "URI" (“Embedded
●
Whether such external references are resolved depends on the trust given to the URI described in that
reference.
●
●
Trusted. If the
href
reference is trusted, the image data may be included in the XFA Data DOM.
Not trusted. If it is not trusted, the XFA processor verifies that the referenced location is inside the
current package, i.e. inside the XDP or PDF that supplied the template. If it is not inside the current
package the reference is blocked.
Referenced images in data are described in
“Image Data” on page 135.
Discarding Unexpected Submitted Packets
The XFA submit mechanism provides the option of submitting the template and configuration
information along with the data. However templates may contain scripts that execute on the server side.
However XFA does not provide a native mechanism for establishing that a submitted template is
trustworthy. Hence in any environment in which submissions are accepted from untrusted clients, care
should be taken to ensure that any submitted template is discarded and a local copy of the template used
instead.
Potentially similar problems could arise from accepting a configuration packet from an untrusted client.
The best thing to do when dealing with untrusted clients is to discard every submitted packet that is not
expected.