Skip to main content
W
wendyll
Participant
January 11, 2017
Answered

How to protect my javascript for form submission from authorized changes?

  • January 11, 2017
  • 3 replies
  • 2495 views

Hi all,

I have a PDF form created with some validation.

I'm using Customized JavaScript for the submit button to send the form contents to my server.

The server will take 2 things: 1. the complete pdf. 2. the html data of the fields desired

so in the JavaScript actually I defined some logic to control what to send to server and what not to send.

I realize if anyone has Acrobat DC and knows about JavaScript, they can actually change my submit button JavaScript code or change the logic and send invalid data or even attack my server in some sense.

How do I prevent that from happening?

I'm trying to find some locking mechanism. Someone suggest about File->Properties->Security

However, it's locking file opening, editing, printing..etc, but not the JavaScript.

What I really is, I only want to lock the scripts from editing, but not locking the complete PDF form. The form need to be filled up by users, but the users shouldn't change the JavaScript code for form submission or field validation.

This topic has been closed for replies.
Correct answer George_Johnson

In the Permissions section, select the "Restrict editing..." check box and in the "Changes allowed" dropdown, select one that allows form filling. This type of security isn't really secure since there are tools available that can easily remove it, but it will prevent someone with just Acrobat and no password from making changes, including changes to the scripting, apart from those that you explicitly allow (e.g., form filling)..

3 replies

JR Boulay
Community Expert
JR BoulayCommunity Expert
Community Expert
January 11, 2017

Of course you can copy this script, but my intent is that you cannot edit it.

Acrobate du PDF, InDesigner et Photoshopographe
JR Boulay
Community Expert
JR BoulayCommunity Expert
Community Expert
January 11, 2017

Hi.

You can obfuscate your scripts: http://www.javascriptobfuscator.com/Javascript-Obfuscator.aspx

See this sample obfuscated PDF file: http://abracadabrapdf.net/download/Calcul_poids_imprime.pdf

Acrobate du PDF, InDesigner et Photoshopographe
    T
    Test Screen Name
    Legend
    January 11, 2017

    It's good to be concerned about security, but I have to say I think you're looking at the "wrong end". I can get a copy of any JavaScript code in seconds. Obfuscation is irrelevant. Whether I can edit the PDF is irrelevant too, because I can put the JavaScript into a NEW PDF.

    So it is the server that must be absolutely bulletproof. This means protected against all known attacks, from SQL injection to server bug exploits. It also needs to be protected against data spoofing; for example a classic error is to take the price from the submitted data, rather than looking it up on the server.

    For this reason the server script and server itself needs to be set up and actively maintained by a web specialist with good security credentials. (Not just anyone who can write ASP scripts). It's a pity, but that's the world be live in.

    (By the way there is no option to submit both the PDF and its HTML fields; this needs server side software).

    G
    George_JohnsonCorrect answer
    Inspiring
    January 11, 2017

    In the Permissions section, select the "Restrict editing..." check box and in the "Changes allowed" dropdown, select one that allows form filling. This type of security isn't really secure since there are tools available that can easily remove it, but it will prevent someone with just Acrobat and no password from making changes, including changes to the scripting, apart from those that you explicitly allow (e.g., form filling)..

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices