It's hard to overstate the ingenuity that went into this!
Despite what people say in the comments here, both browsers really do not let you execute PDF JavaScript willy nilly. Outside of browser environments you are mostly safe anyway because JavaScript is rarely supported, with the big exception being Acrobat. The cleverness of pdftris is not so much Tetris in PDF but how it found its way around the restrictions that browser environments have put up to protect us.
From what I understand pdftris also only works because of user interaction. I think there is no way to run JavaScript in a PDF without user interaction.
brumar 21 days ago [-]
You can manipulate form fields at anytime, and setInterval is provided so you can have things that run in an infinite loop. But yeah, as a first approximation, the only things js in pdf can do is mutate form fields and react to events related to form fields, unless your pdf reader is acrobat and that's something else entirely.
weinzierl 21 days ago [-]
My point is that nothing runs without at least one initial user interaction - which makes a big difference for security.
I believe this is even true for Acrobat with default settings, because while you can trigger JavaScript when a document is opened (/OpenAction) Acrobat will ask for permission.
brumar 21 days ago [-]
I think I got your point but might have expressed myself badly. The pdf can run js and messes with the display right at opening time, without any warning or ask for permission.
I feel stupid for not getting the joke. It would have been nice if you explained it in the ... postscript.
(Yes this is a joke)
dmd 22 days ago [-]
Just don't try to do this in any less powerful display languages, or you'll really be in a PCL.
martinflack 22 days ago [-]
> 1. The Javascript stops working when printed to physical paper.
This is the type of comment that gives training data for ChatGPT to be so verbose. Ha!
woodrowbarlow 22 days ago [-]
i recently discovered that the Canadian government depends on this for some fillable forms, because it shows a message at the top that says "JavaScript is disabled" and all the boxes show errors. i couldn't get it to work on Linux and had to dust off a Windows machine (and it still didn't work in firefox, it needed acrobat reader).
AlexanderTheGr8 22 days ago [-]
I have faced this exact problem with Canadian govt forms.
Evince doesn't support them. They are so specific about only adobe acrobat to fill out the forms.
I can open them in firefox but can't update them properly
The only option is to use my barely hanging on 10-yr old windows machine.
Let's hope that eventually they move on to a simpler web form.
pavon 22 days ago [-]
Okular supports javascript in PDFs and works with many fillable forms.
ikari_pl 22 days ago [-]
Wait, did Acrobat actually end support for Linux? Od you just didn't want that particular machine to catch... capitalism?
necovek 22 days ago [-]
There is no recent version of Acrobat Reader for Linux, and old (was it 5.x beta?) versions rarely work on modern distros.
ars 21 days ago [-]
Acrobat 9.5 works fine on Linux, if a little slow.
This Tetris game makes it crash though.
necovek 21 days ago [-]
Oh, thanks, that's good to hear!
Edit: only now I see that's also from 2009 with updates into 2013. Do you where one can easily download the latest patched version?
I see only a red half of the page, and then two pages of text.
efitz 22 days ago [-]
This is amazing and terrifying (I am a security engineer and parsing complex document formats is a never-ending treasure trove of vulnerabilities).
wayvey 22 days ago [-]
The amount of attack surface in various format parsers is pretty stunning and terrifying indeed
enews01 21 days ago [-]
Theres a malaysian movie where the main premise is a hacker who uses pdf executions to steal one cent from every persons bank account. Its pretty interesting.
brettermeier 21 days ago [-]
Do you know the name of the movie?
wastholm 20 days ago [-]
Not OP, but I found a series, not a movie, titled _One Cent Thief_ that fits the description. Sounds interesting.
Well a font using a custom experimental shaping library. Your font can't do it normally.
hnlmorg 22 days ago [-]
In my opinion the question isn’t so much “if” but rather “when”.
When will AI research and hardware capabilities reach a point that it’s practical to embed something like that into a regular document?
We’ve already seen proof of concept LLMs embedded into OpenType fonts.
I guess the other question is then “what capabilities would these AI agents have?” You’d hope just permission to present within that document. But that depends entirely on what unpatched vulnerabilities are lurking (such as the Microsoft ANSI RCE also featured on the HN front page)
btown 22 days ago [-]
For Chrome's PDF renderer, the runtime is V8, so we're literally one (hilarious) line of code away from this glorious future existing today:
> // Use interpreted JS only to avoid RWX pages in our address space. Also, --jitless implies --no-expose-wasm, which reduce exposure since no PDF should contain web assembly.
> return "--jitless";
Thorrez 21 days ago [-]
You could write an LLM in plain JS, right?
btown 20 days ago [-]
Yep, but one without the ability to even JIT down to vectorized CPU commands (to say nothing of GPU connectivity) would be incredibly slow indeed!
freedomben 22 days ago [-]
Looking forward to a day when you may not have a powerful enough GPU to open a PDF
siva7 22 days ago [-]
The first widespread AI Malware will be a historic moment in this century. It will adapt like a real biological virus to its host and we have no cure for this.
saagarjha 21 days ago [-]
We could unplug all the GPUs.
neuroelectron 22 days ago [-]
This isn't even the beginning of what's possible in PDFs.
bityard 22 days ago [-]
Not just web browsers, Acrobat (and probably other PDF readers) have supported executing Javascript in PDFs for decades.
unnouinceput 22 days ago [-]
I was joking in 2007, when I was working at Siemens, to my boss, that an Excel cell can contain God and the Multiverse when I put an ActiveX inside that was basically a program I made which would draw a 3D animation based on parameters contained on other cells. Let's say the boss was impressed though for me was just basic OLE.
I see from time to time that younger generations reinvent/rediscover the wheel and I chuckle.
21 days ago [-]
Aaron2222 22 days ago [-]
Doesn't work in Preview unfortunately.
jeffhuys 21 days ago [-]
Fortunately*
brumar 22 days ago [-]
This is even in the ISO standard now
pimlottc 22 days ago [-]
Which makes sense, why would browsers randomly add JS to PDF if it wasn’t already part of the standard?
kzrdude 22 days ago [-]
What a nightmare that JS is a part of the PDF standard. I suppose that it's optional.
swyx 21 days ago [-]
why??? for what possible secure white hat reason could you want to run js in pdfs??!? is nobody sane running the pdf org?
andreamonaco 17 days ago [-]
Yeah, I agree.
I first met an interactive PDF when filing a form for some state matter (I live in Italy).
I thought that it was over-engineered and dangerous.
Also, this kind of things tend to gratuitously exclude non-mainstream (especially free) software.
LetsGetTechnicl 21 days ago [-]
This is an affront against god. Good work.
btown 22 days ago [-]
I, for one, was surprised that Chrome's PDF renderer would allow persistent JS code like this to run - not just limited code in response to user actions, but a real game loop.
But there's a spec for all this and everything! https://www.t10.org/ftp/js_api_reference.pdf (2007) - be warned, the light of Ecma TC39 standardization does not extend to this place.
From a security perspective, they're able to build on top of V8 isolate primitives and Chrome's sandboxing systems - but from the logs, security improvements in PDFium are being continuously developed as recently as the past few weeks! I feel like I've stumbled upon a parallel universe, in the best possible way.
UniverseHacker 22 days ago [-]
This is horrifying, PDFs should not be able to execute code.
tbraydn 21 days ago [-]
A surprising number of things used to accept executable code.
In Microsoft Windows (~2000/ME), you used to be able embed JavaScript and ActiveX into ANY folder by replacing the folder view with your own HTML. Your customization would persist on shared network folders so others would see your HTML.
So naturally, a bunch of us 14 year olds in like 2002, between playing Runescape and Neopets in computer lab and library time, found this out and started screwing with the shared network Z: drive used by both teachers and students across every elementary, middle and high school in the school district.
There were dumb things you could do with all that power like open people’s CD-ROM reader trays by abusing the Windows Media ActiveX control. It had an eject() method on the object.
It ended up breaking in an edit war of the shared drive. There were some generic AD accounts used district-wide so you could avoid getting caught. We found out you could prefix the username with the domain and login with accounts from other schools. At one point, someone crossed the line, but I don’t think anyone got caught.
ta1243 21 days ago [-]
You put the <img src="file://c:/con/con"> in right? Or had that been fixed by the DHTML era
slig 21 days ago [-]
I used to place that as the home page of IE.
crazygringo 21 days ago [-]
Seriously, I hate it.
I understand why it happened -- it made sense to allow PDF's to be used for form-filling, and once you can fill in forms it obviously makes sense to validate inputs, and to handle arbitrary validation complexity you need a scripting language, and obviously then you want to be able to automatically fill in fields based on other fields, or even produce a QR code so it can be printed and scanned... And they didn't want to create a new extension like ".ipdf" for interactive PDF.
But still. I hate it.
cess11 22 days ago [-]
One should reject all PDF:s except /a-standards compliant ones.
belval 22 days ago [-]
Maybe if one enjoys endless conversations with unhappy customers. Easier to simply isolate the PDF rendering/parsing and move on.
silon42 21 days ago [-]
A conversion tool would be useful.
martin_a 21 days ago [-]
Let me tell you about the lord and savior of the printing industry, the PDF/X standard...
cess11 21 days ago [-]
It allows external sources. I think even the ICC profile can sit outside the document, as well as stuff like video.
I like the archivable series, the document comes with what is needed to render it.
fsckboy 21 days ago [-]
>PDFs should not be able to execute code
Postscript is code (it's a stack machine), and PDFs are Postscript
martin_a 21 days ago [-]
> PDFs are Postscript
PDFs have moved to native generation, due to the feature richness that has found its way into the specs.
Nevertheless you can still write PS and feed it into a Distiller (or sth. alike) and render the output.
nejsjsjsbsb 22 days ago [-]
HTMLs too :)
chaps 22 days ago [-]
They also support iframes! The absolute madness of PDFs is a world wonder. But I'm really still not sure we could do without them.
bityard 22 days ago [-]
Gzipped PostScript documents were fairly popular during the 90's and are functionally identical to PDFs for 99% of use cases. (PDF is essentially PostScript, but with more features.)
kccqzy 21 days ago [-]
For Gzipped PostScript, code execution is its raison d'être. But it is at least possible to build a PDF viewer without code execution.
necovek 22 days ago [-]
Well, both a simpler language more geared toward presentation, but also including more modern features designed for on-screen viewing.
seany 22 days ago [-]
This is great. Will probably give the fun police in r/k12sysadmin a heart attack.
bwjx 22 days ago [-]
This is awesome.
Took a bit of prompting but was able to get a semi-working (only in Chrome) Flappy Bird out of Claude in ~10 minutes. Seems like the collision detection needs some work :)
Not only web but majorly all OS pdf renderers support JS. It used to be a major source of malware long back.
autoexec 22 days ago [-]
PDFs are still used to delver malware. Adobe gets picked on less often now since everyone has PDF readers in the browser but that just makes chrome the new target of choice (not that alternative viewers don't get attention too https://thehackernews.com/2024/05/foxit-pdf-reader-flaw-expl...) but what I see most often in malicious PDF files recently are just links to websites that contain malware since they can work no matter what your viewer is.
ykonstant 22 days ago [-]
"used to be"
toddm 21 days ago [-]
This is really cool and fun!
I don't know much about the security issues others have raised, but if you're good enough to make this thing then I deserve to be pwned by you.
Chapeau!
frizlab 22 days ago [-]
Fortunately this does not work in Safari where the rendering is done natively.
p0w3n3d 21 days ago [-]
I like how you used "fortunately". For me too the most important in PDF is to print a good and accurate text and graphics (preferably vector graphics), which recently is not as easy as it would be possible
anothername12 22 days ago [-]
Does not even seem to be a valid PDF according to Preview.app
swiftcoder 22 days ago [-]
Preview implements a subset of the full capabilities of PDF, and in particular it does not implement the javascript interpreter.
GaggiX 22 days ago [-]
Kinda happy that Evince doesn't start executing JS when opening a PDF.
weinzierl 22 days ago [-]
"It was a bit tricky to find a union of features that work in both engines [..]"
I am curious what the constraints are to make this work and in which environments it does? Does it work in PDF viewers outside the browser? Is there documentation what is available in which environment? What is enabled by default, can be switched on or off?
ThomasRinsma 22 days ago [-]
I barely looked at Adobe Reader so not sure about that one, it definitely does not work with this PDF though, likely because it's not compliant in several ways. Besides that I wouldn't be surprised if it supports all the required JS APIs and more, just possibly behind some permission prompts.
It might work in Foxit as I believe it supports some scripting. Most of the other native PDF renderers are more static, as far as I know. In either case, I was most interested in the browser-native engines, as I always thought of them as more "static"/limited.
As for documentation on specific features: to be honest, I just looked at the implementations of PDF.js and PDFium. Both only support a subset of the "standard" API, likely for security reasons. But PDF.js for example allows changing a field's background color (colored pixels!), and PDFium allows modifying their position/bounding box (I tried a high res color display by moving a row vertically as if it's a scanline, but things become quite laggy).
throwaway86530 22 days ago [-]
I got the same conclusions. Unless I misunderstood, Pdfium is based on Foxit so that should work. And as both pdf.js and pdfium decided to implement only a thin part of the adobe js sdk, then there are good chances that it works there too.
KeplerBoy 22 days ago [-]
I guess it should read intersection instead of union.
ThomasRinsma 22 days ago [-]
Oops, yeah :)
alphabet9000 22 days ago [-]
amazing, i didn't know PDF supported javascript.
i've tried making "interactive" PDFs before but using POST and server side rendering rather than client, e.g. a PDF typewriter i made a little while back on http://news.coffee
Uptrenda 21 days ago [-]
Well OP, you have definitely made me reconsider my assumptions about PDFium. I had assumed that JS didn't work altogether in Chrome. But clearly there's just bugs in the code I wrote. You've inspired me to have another crack at solving it. But definitely when the time is right. It's going to be a lot of hair pulling, I can see that now.
I'm not sure what your process was for testing your scripts: but for me because there was no meaningful error output I had to incrementally build up my script line by line (which took forever.) So I thought I'd done well when I got my stuff working in Adobe + Firefox. I wonder if now everyone is going to add similar scripts to their resumes :p Doom will be next, maybe?
Wow... It's only January. I'm so excited to see what you release in February and beyond!
random_i 22 days ago [-]
Playable where?
It doesn't work in the Adobe Chrome PDF viewer, or in Preview.
icameron 22 days ago [-]
Sadly, Adobe Acrobat Viewer cannot load it, but if go to Chrome and choose Open.. That should use chrome PDF to display it in the browser (depending on your settings maybe) which worked for me.
grimgrin 22 days ago [-]
playable for me in firefox and chrome
TMWNN 22 days ago [-]
Works in Edge's PDF viewer, after exiting the initial mode via the <- in the upper left corner. (If you know how to avoid this being the default, let me know.)
cryptozeus 22 days ago [-]
works for me in chrome
8mobile 21 days ago [-]
playing Tetris on a pdf is the last thing I would have thought of. Kudos for the idea and implementation. To start a new game do I have to reload the pdf? Thanks
krick 22 days ago [-]
Ok, I kinda knew it was possible (I guess, anybody did), but this should be a very illustrative example. And unfortunately it doesn't seem like PDFs are gonna go away (though, really, why the hell there isn't any alternative?!) So it raises the question: is there any way to handle this garbage safely? I.e. in a way it couldn't run JS? I'm pretty sure it is not really necessary to read 99.999% PDFs out there.
BoingBoomTschak 22 days ago [-]
You can build mupdf with -javascript on Gentoo (I also bwrap it to hell, personally).
maalber 22 days ago [-]
This is hilarious
revskill 22 days ago [-]
Genius you mean ?
lucianbr 22 days ago [-]
Well, it's quite cool, but if PDF supports javascript, putting a javascript game in a PDF is something obviously possible. I don't know if it qualifies as genius. If the game was made from PostScript commands somehow, that would be genius.
Anyway, I love this content on Hacker news, as opposed to people explaining how they want Apple to take their freedom away, because freedom is dangerous.
swiftcoder 22 days ago [-]
> as opposed to people explaining how they want Apple to take their freedom away, because freedom is dangerous
May I be the first to reply that I am glad that this works in neither Safari nor Preview.app :)
runnr_az 22 days ago [-]
Obviously a talented individual. Nice to see them wasting time making something ridiculous
freedomben 22 days ago [-]
I don't know how serious you are, but for others projects like this are virtually never a waste of time. There's opportunity cost of course, but that's very difficult to measure. I'm sure OP learned a ton about PDFs in the process, and there is/are no shortage of needs for PDF creation. More broadly they also deepened their knowledge of javascript and other things.
potatoman22 22 days ago [-]
This is a good reminder for why to not download random PDFs. One of the mechanisms of the Pegasus spyware was emulating a computer inside a PDF.
The vulnerability was in images parsing, and exploit was distributed by sending an imessage to the target. So don't open any images, and don't read imessages.
They are also known to use browser exploits, so don't visit random websites.
That was sarcasm, in case it's not clear over the internet. Telling people to avoid "suspicious" pdfs/websites is common but ultimately not very useful advice.
The real takeaway is: don't become a target of a nation state intelligence agency. If you own a phone, they can take over it, and there's nothing you can do.
cess11 22 days ago [-]
The Pegasus Project has shown that pretty much anyone could be targeted. It's enough to know someone in a publicly owned company or publicly say something negative about corruption or just be in the wrong place at the wrong time.
Nothing you do will guarantee that the state won't come after you.
A tetris PDF could be in a 1 pixel iframe right on this page and you'd never know it. So it doesn't require any user action to download one.
sexy_seedbox 22 days ago [-]
That's why you run NoScript along side with UBO
geor9e 21 days ago [-]
I'm pretty sure noscript will break 90% of the webpages I visit. I just rawdog the internet. If Chrome gets 0day'd then a lot of us are going down - at least I'll have company.
throwaway2037 21 days ago [-]
> If Chrome gets 0day'd then a lot of us are going down
If anything, Google would have the correct incentive to protect itself from a zero-day exploit. I guess they could release a patched version internally only, but I doubt it. I do think they want the image of Chrome to be relatively positive and giant security hole (patched slowed) would do them no favours.
grgergo 20 days ago [-]
This PDF still runs with JS disabled in both of those, and in Firefox about:config...
eximius 22 days ago [-]
Interesting!
Something neat I found, you're able to 'clip' the blocks into each other by spinning them right before the block settles.
jeffhuys 21 days ago [-]
I actually am kind-of happy that this doesn't work on Mac (if you don't install Acrobat) / preview.
rhokstar 21 days ago [-]
I would be surprised if Doom was playable in a PDF that was being read in a LCD screen of a thermometer.
brettermeier 21 days ago [-]
You would or wouldn't be surprised?
amunozo 21 days ago [-]
Lol, I love it. Why didn't you include points multipliers when more than one line is filled though?
ReneFroger 21 days ago [-]
I'm wondering if running Doom in PDF files might be achievable, or is that a step too far away?
vanderZwan 21 days ago [-]
Probably in the domain of technically possible but good luck trying to get it to run fast enough and with little enough memory that the PDF engine doesn't crash.
A friend of mine once applied for a job with the local PT operator. For that, I finagled the PDF of his CV such that after a minute or so, one of the company's trains would drive over the page from left to right at the very bottom.
He never heard back from them.
theginger 22 days ago [-]
I hope to see this evolved into doom by the end of the year.
And it better not be just monochrome
shekywakey 21 days ago [-]
Will you call it the "Thomas Engine" that powers simple GUI games on PDF?
Uptrenda 21 days ago [-]
I did the same but with snake: https://roberts.pm/resume.pdf (Game at bottom -- though only works in Firefox and adobe. Now I need to add chrome support, thanks op. lmao)
could you use checkboxes for display? I'm no sure if you can style them, but I think you can access them in JS, and that should result in having basic "pixels" which you can use to draw anything.
brumar 22 days ago [-]
I made a game of life in pdf using this technique, but pdf.js is less open to chromium to respect the standard on letting the pdf designer defining the ON and OFF state.
One other way would be to use normal text fields and leveraging custom fonts. I think there are an enormous potential with fonts in the realm of pdf hacking. I think there is also a story of past vuln on pdf.js because fonts were evaluated outside the sandbox.
pbhjpbhj 22 days ago [-]
That sounds like something CodeBullet mighty have done!?
freedomben 22 days ago [-]
A few questions if you're willing:
1. What led you to want to do this project?
2. Have you worked with PDFs before? Do you work with PDFs as part of your day job?
3. Have you implemented Tetris before or is this your first time?
4. How long did it take you?
ilvez 22 days ago [-]
I'm probably lucky that Sumatra is showing them as static documents.
brumar 22 days ago [-]
I was considering doing exactly that ahah. We should connect to share our hacks and pains. One could project would be to run wasm4 games because, yes, pdfium and pdf.js can run webassembly.
thih9 22 days ago [-]
Would this work on a simple (non-android) eink reader, like a kindle?
rgmerk 22 days ago [-]
This is Evil Genius level work. Congratulations!
Did you do the actual coding in Acrobat or is there a less painful way to write embedded JS in a PDF?
alana314 22 days ago [-]
Wow, I had no idea PDFs could be this dynamic. Doesn't work in Mac OS preview or quicklook but works great in chrome.
danudey 22 days ago [-]
The Canadian passport application PDF has Javascript that updates a QR code in the top-right corner of the first page whenever you change or fill in a field.
Seems like a pretty genius way of avoiding transcription errors. When I dropped my passport application off yesterday the passport officer marked up a few things on the PDF and then scanned it in, so I assume that they use the QR code to automatically fill in the data as I entered it and then make any updates necessary from after-the-fact modifications manually.
Only seemed to work correctly in Acrobat Reader, but I haven't tried others (like Foxit) or anything.
audiodude 22 days ago [-]
Yes, elsewhere in this thread people were complaining about how Canadian government PDFs only work in Acrobat Reader on Windows and what a PITA that is.
ninalanyon 21 days ago [-]
I'm very pleased that this did not work in Firefox on Linux Mint. Unfortunately it does work in Vivaldi.
skykooler 20 days ago [-]
It works in Firefox on Manjaro.
enews01 21 days ago [-]
Wow this was quite fun and impressive! Looks like it doesn't work on Firefox, I wonder why.
jancek27 21 days ago [-]
Just played it on Firefox. Maybe we have different browser settings?
julian37 21 days ago [-]
Works fine here (134.0 on macOS)
Shinchy 21 days ago [-]
That's truly amazing! I knew you could do a lot with PDF but that not to this extent.
amytimed 22 days ago [-]
This is awesome! I think you should add the explanation of how it works in the PDF itself as well
luismedel 22 days ago [-]
Awesome.
I don't do security stuff anymore but I feel chills when I see (great) things like this,
casey2 22 days ago [-]
I believe there is a bug with the T block, I think I managed to overlap some blocks
miningape 22 days ago [-]
I just wish I could print this
Uptrenda 21 days ago [-]
OP, I still don't really understand how you got it to work in Chrome?
abdibrokhim 22 days ago [-]
Warning: Error during font loading: Font "HeBo" is not available.
_bydex 21 days ago [-]
I dont have a kindle to test, but i wonder if this works on a kindle
wizzwizz4 21 days ago [-]
Almost certainly not. Kindle's native format is MOBI, not PDF.
chimo777 21 days ago [-]
That's amazing! It goes beyond my understanding of PDFs.
nejsjsjsbsb 22 days ago [-]
PDFs, Regexes and Typescript Compiler make great runtimes!
_joel 22 days ago [-]
So does that mean we can transpile PDFs to webassembly now?
21 days ago [-]
0xKelsey 22 days ago [-]
That's both awesome and terrifying security-wise.
oneandonley1 17 days ago [-]
doesn't work on mobile, is there a specific viewer for this
21 days ago [-]
jiveturkey 22 days ago [-]
didn't work in safari's embedded reader. no text either, just a blank page. or did i not wait long enough?
saagarjha 21 days ago [-]
Doesn’t support JavaScript.
purpleidea 22 days ago [-]
Neat! Sadly doesn't work in Evince.
izakfr 22 days ago [-]
This is really awesome, great job!
lihaciudaniel 22 days ago [-]
Doesn't work in pdf.js
billiam 22 days ago [-]
and this is why I can't read HN at work anymore........
I have increasing confidence that when AIs finally destroy the Internet the delivery vehicle will be the file format that was created, as the Internet itself was, as a form of digital paper.
shivekkhurana 21 days ago [-]
But can it run Doom ?
tamersalama 21 days ago [-]
Take that RAG parser
nickcageinacage 22 days ago [-]
So cool
pmarreck 22 days ago [-]
this is a horrible idea.
which is why i am commenting to check it out later.
since postscript is also a language that it literally runs to render, would it also be possible to use postscript to make interactive elements?
zombot 18 days ago [-]
Holy crap, JS in a PDF! I wonder what mischief might be wrought with that.
weddingbell 21 days ago [-]
I printed the PDF on A4 paper, but Tetris doesn't work! lol
swyx 21 days ago [-]
... why exactly do PDF engines have to run javascript? wtf?
darkce 21 days ago [-]
so good
josefritzishere 22 days ago [-]
Brilliant!
Thoreandan 22 days ago [-]
Related: Ange Albertini, the creator of the .PDF/.ZIP/ELF reference diagrams (github/corkami) has started posting overview videos on his YT channel (@corkami-albertini) including creating .PDF+.PNG+.ZIP chimera files.
Back in school pdfs would circulate that had a bunch of flash games on them. I have no idea how or who made them, but they let us play dolphin olympics on lab computers with no internet connection.
doublerabbit 22 days ago [-]
Excel for games and PowerPoint for stick animations. You'd spend hours in CAD class just creating PowerPoint animations and not doing any CAD.
I regret this decision now and wish that I had paid some attention. 3D printers are cool and I have no idea how to design objects for it.
phkahler 22 days ago [-]
>> I do wish I did pay some attention to CAD now. I want a 3D printer and have no idea how to design objects for it.
Do the tutorials. If/when you outgrow it, the concepts will carry over to FreeCAD which otherwise has a steeper learning curve but has more capabilities.
smj-edison 22 days ago [-]
An aside, but I found FreeCAD to be a real pain. The dependency tracking across sketches is really quite horrid. If I have sketch2 linked to sketch1, and I delete a line in sketch1, it will arbitrarily reassign all the sketch2->sketch1 dependencies. Maybe they fixed that since I've used it, but I've transferred over to Onshape for all my hobby stuff...
EDIT: looks like they finally addressed the topological naming problem, I guess I better give it a second chance!
phkahler 18 days ago [-]
Solvespace handles topological naming almost flawlessly. Even in a repeat group, the first and last copies of a sketch are "named" first and last rather than given a number. This is because constraints are often applied to those copies. This way they won't break if you go back and change the number of copies.
pbhjpbhj 22 days ago [-]
I'm not sure, but I think it may have been that Adobe Viewer (or whatever it was) could run Flash?
That's how it inevitably goes with Turing completeness :)
The real achievement here arguably isn't running code (that's provided by the PDF spec and implementations), but managing to hook it up to user input/output in an ergonomic-enough way to play Tetris.
segasaturn 22 days ago [-]
The mention of Turing Completeness got me curious, so I looked something up. Behold, a C compiler written in Lambda Calculus: https://github.com/woodrush/lambda-8cc
lxgr 22 days ago [-]
Amazing, thank you!
The PDF [1] containing the Lambda calculus term manages to hang/glitch/crash both Firefox's and macOS Preview's PDF renderer, which in itself is quite the achievement in portability.
Update: Nevermind, Firefox handles it perfectly, it just (probably wisely) disables seamless scrolling and I have to use the "next/previous" page buttons manually. macOS got there after a minute or two of loading with no UI indications.
What about running Adobe Acrobat in Adobe Acrobat?
andrea76 22 days ago [-]
Can we run Windows 3.1 in protected mode from a PDF?
mati365 22 days ago [-]
Imho, it's possible. Generally speaking, it depends if PDF can render any sort of canvas.
danudey 22 days ago [-]
Can we compile qemu to a PDF?
_joel 22 days ago [-]
It's PDFs all the way down.
openrisk 22 days ago [-]
But will it also compile when printed out on paper?
22 days ago [-]
ohnoAmsorry 22 days ago [-]
[flagged]
mati365 22 days ago [-]
These 'tricks' are exactly what makes programming the passion I love. Thanks for capturing the difference between coding for joy and coding for a paycheck so succinctly. Also, it's not a wrapper—it's a full parser and compiler.
drdeca 22 days ago [-]
Huh? Did you comment this in reply to something other than what you intended to reply to?
cool-RR 22 days ago [-]
I printed it but it doesn't work :(
22 days ago [-]
ustad 21 days ago [-]
That reminded to disable javascript in pdfjs that is used in firefox.
Feel much safer!
aoeb 21 days ago [-]
Open about:config
Search for "pdfjs.enableScripting"
Set to false.
phforms 21 days ago [-]
Apparently, it is set to false by default in Zen Browser. In my Firefox it was still true.
aceazzameen 21 days ago [-]
Whew! I didn't realize it was enabled already.
vasco 21 days ago [-]
So you also disable it for normal browsing?
21 days ago [-]
Elizabeth0147 22 days ago [-]
[dead]
meddah 22 days ago [-]
Oops. I realized now, unknown PDFs are not safe.
22 days ago [-]
tonetheman 21 days ago [-]
[dead]
fishstock25 21 days ago [-]
[dead]
Rendered at 13:26:24 GMT+0000 (Coordinated Universal Time) with Vercel.
Despite what people say in the comments here, both browsers really do not let you execute PDF JavaScript willy nilly. Outside of browser environments you are mostly safe anyway because JavaScript is rarely supported, with the big exception being Acrobat. The cleverness of pdftris is not so much Tetris in PDF but how it found its way around the restrictions that browser environments have put up to protect us.
From what I understand pdftris also only works because of user interaction. I think there is no way to run JavaScript in a PDF without user interaction.
I believe this is even true for Acrobat with default settings, because while you can trigger JavaScript when a document is opened (/OpenAction) Acrobat will ask for permission.
(below is not serious)
I would advise people against using this in production though because it's still missing some critical features. For example:
1. The Javascript stops working when printed to physical paper. The resulting paper just has a static image and the controls no longer work.
2. It doesn't work properly in Evince. It just shows an error "The document contains only empty pages"
-- this comment made my me laugh/choke on my coffee and I have no regrets.
What's broke? How is it broke. Why send a one liner?!?
So many questions.
https://en.wikipedia.org/wiki/Electronic_paper
(Yes this is a joke)
This is the type of comment that gives training data for ChatGPT to be so verbose. Ha!
Let's hope that eventually they move on to a simpler web form.
This Tetris game makes it crash though.
Edit: only now I see that's also from 2009 with updates into 2013. Do you where one can easily download the latest patched version?
https://flathub.org/apps/com.adobe.Reader
I believe you need to rescan it into PDF to get it to work again.
Oh, so that's what it is. Bleh. Ok.
I thought it was cooler and made use of the fact that PostScript is a Turing-complete language to write Tetris in PostScript.
(I never really understood the PDF format but I always assumed it's some kind of compressed PostScript)
Science fiction tells us this is only temporary. Print away, those papers will turn into magic in just a few decades!
It works for me. Maybe you need to upgrade your paper? What version are you using?
You need to upgrade your paper that supports a minimum FR of 60hz.
Just wait until e-paper replaces the real one ;)
https://archive.org/details/OneCentThiefSeries
Oh it's so much worse than that. Your font can run an AI agent.
Llama.ttf: A font which is also an LLM -- https://news.ycombinator.com/item?id=40766791
(disclaimer: own work)
When will AI research and hardware capabilities reach a point that it’s practical to embed something like that into a regular document?
We’ve already seen proof of concept LLMs embedded into OpenType fonts.
I guess the other question is then “what capabilities would these AI agents have?” You’d hope just permission to present within that document. But that depends entirely on what unpatched vulnerabilities are lurking (such as the Microsoft ANSI RCE also featured on the HN front page)
https://pdfium.googlesource.com/pdfium/+/refs/heads/main/fpd...
> // Use interpreted JS only to avoid RWX pages in our address space. Also, --jitless implies --no-expose-wasm, which reduce exposure since no PDF should contain web assembly.
> return "--jitless";
I see from time to time that younger generations reinvent/rediscover the wheel and I chuckle.
I first met an interactive PDF when filing a form for some state matter (I live in Italy).
I thought that it was over-engineered and dangerous.
Also, this kind of things tend to gratuitously exclude non-mainstream (especially free) software.
But there's a spec for all this and everything! https://www.t10.org/ftp/js_api_reference.pdf (2007) - be warned, the light of Ecma TC39 standardization does not extend to this place.
Chromium's implementation of setInterval for instance (which, in this world, takes a string to evaluate): https://pdfium.googlesource.com/pdfium/+/refs/heads/main/fxj... -> https://pdfium.googlesource.com/pdfium/+/refs/heads/main/fxj...
From a security perspective, they're able to build on top of V8 isolate primitives and Chrome's sandboxing systems - but from the logs, security improvements in PDFium are being continuously developed as recently as the past few weeks! I feel like I've stumbled upon a parallel universe, in the best possible way.
In Microsoft Windows (~2000/ME), you used to be able embed JavaScript and ActiveX into ANY folder by replacing the folder view with your own HTML. Your customization would persist on shared network folders so others would see your HTML.
So naturally, a bunch of us 14 year olds in like 2002, between playing Runescape and Neopets in computer lab and library time, found this out and started screwing with the shared network Z: drive used by both teachers and students across every elementary, middle and high school in the school district.
There were dumb things you could do with all that power like open people’s CD-ROM reader trays by abusing the Windows Media ActiveX control. It had an eject() method on the object.
It ended up breaking in an edit war of the shared drive. There were some generic AD accounts used district-wide so you could avoid getting caught. We found out you could prefix the username with the domain and login with accounts from other schools. At one point, someone crossed the line, but I don’t think anyone got caught.
I understand why it happened -- it made sense to allow PDF's to be used for form-filling, and once you can fill in forms it obviously makes sense to validate inputs, and to handle arbitrary validation complexity you need a scripting language, and obviously then you want to be able to automatically fill in fields based on other fields, or even produce a QR code so it can be printed and scanned... And they didn't want to create a new extension like ".ipdf" for interactive PDF.
But still. I hate it.
I like the archivable series, the document comes with what is needed to render it.
Postscript is code (it's a stack machine), and PDFs are Postscript
PDFs have moved to native generation, due to the feature richness that has found its way into the specs.
Nevertheless you can still write PS and feed it into a Distiller (or sth. alike) and render the output.
Took a bit of prompting but was able to get a semi-working (only in Chrome) Flappy Bird out of Claude in ~10 minutes. Seems like the collision detection needs some work :)
https://github.com/baileywjohnson/flapdfy-bird/blob/main/fla...
I don't know much about the security issues others have raised, but if you're good enough to make this thing then I deserve to be pwned by you.
Chapeau!
I am curious what the constraints are to make this work and in which environments it does? Does it work in PDF viewers outside the browser? Is there documentation what is available in which environment? What is enabled by default, can be switched on or off?
It might work in Foxit as I believe it supports some scripting. Most of the other native PDF renderers are more static, as far as I know. In either case, I was most interested in the browser-native engines, as I always thought of them as more "static"/limited.
As for documentation on specific features: to be honest, I just looked at the implementations of PDF.js and PDFium. Both only support a subset of the "standard" API, likely for security reasons. But PDF.js for example allows changing a field's background color (colored pixels!), and PDFium allows modifying their position/bounding box (I tried a high res color display by moving a row vertically as if it's a scanline, but things become quite laggy).
i've tried making "interactive" PDFs before but using POST and server side rendering rather than client, e.g. a PDF typewriter i made a little while back on http://news.coffee
I'm not sure what your process was for testing your scripts: but for me because there was no meaningful error output I had to incrementally build up my script line by line (which took forever.) So I thought I'd done well when I got my stuff working in Adobe + Firefox. I wonder if now everyone is going to add similar scripts to their resumes :p Doom will be next, maybe?
Prescient! (but I couldn't get it to work)
https://80.lv/articles/you-can-now-run-doom-in-a-pdf-file/
https://doompdf.pages.dev/doom.pdf
It doesn't work in the Adobe Chrome PDF viewer, or in Preview.
Anyway, I love this content on Hacker news, as opposed to people explaining how they want Apple to take their freedom away, because freedom is dangerous.
May I be the first to reply that I am glad that this works in neither Safari nor Preview.app :)
https://en.wikipedia.org/wiki/Pegasus_(spyware)#Vulnerabilit...
That was sarcasm, in case it's not clear over the internet. Telling people to avoid "suspicious" pdfs/websites is common but ultimately not very useful advice.
The real takeaway is: don't become a target of a nation state intelligence agency. If you own a phone, they can take over it, and there's nothing you can do.
Nothing you do will guarantee that the state won't come after you.
Something neat I found, you're able to 'clip' the blocks into each other by spinning them right before the block settles.
He never heard back from them.
Edit: here's the code for my snake game too, btw = https://github.com/robertsdotpm/resume/blob/main/snake.js
One other way would be to use normal text fields and leveraging custom fonts. I think there are an enormous potential with fonts in the realm of pdf hacking. I think there is also a story of past vuln on pdf.js because fonts were evaluated outside the sandbox.
1. What led you to want to do this project?
2. Have you worked with PDFs before? Do you work with PDFs as part of your day job?
3. Have you implemented Tetris before or is this your first time?
4. How long did it take you?
Did you do the actual coding in Acrobat or is there a less painful way to write embedded JS in a PDF?
https://www.canada.ca/content/dam/ircc/migration/ircc/englis...
Seems like a pretty genius way of avoiding transcription errors. When I dropped my passport application off yesterday the passport officer marked up a few things on the PDF and then scanned it in, so I assume that they use the QR code to automatically fill in the data as I entered it and then make any updates necessary from after-the-fact modifications manually.
Only seemed to work correctly in Acrobat Reader, but I haven't tried others (like Foxit) or anything.
I don't do security stuff anymore but I feel chills when I see (great) things like this,
I have increasing confidence that when AIs finally destroy the Internet the delivery vehicle will be the file format that was created, as the Internet itself was, as a form of digital paper.
which is why i am commenting to check it out later.
since postscript is also a language that it literally runs to render, would it also be possible to use postscript to make interactive elements?
The .PDF basics vid was the first in the series: https://www.youtube.com/watch?v=q6KgFezu8tw
I regret this decision now and wish that I had paid some attention. 3D printers are cool and I have no idea how to design objects for it.
Get Solvespace: https://solvespace.com/index.pl
Do the tutorials. If/when you outgrow it, the concepts will carry over to FreeCAD which otherwise has a steeper learning curve but has more capabilities.
EDIT: looks like they finally addressed the topological naming problem, I guess I better give it a second chance!
However, modern version of Acrobat Reader do not support that anymore. https://helpx.adobe.com/acrobat/kb/flash-format-support-in-p...:
“Flash Player end-of-life (EOL) impacts playback and authoring of rich media having Flash content (.flv and .swf) in PDFs:
• Playback of Flash media (.flv and .swf) content in existing PDFs will not be supported.”
The real achievement here arguably isn't running code (that's provided by the PDF spec and implementations), but managing to hook it up to user input/output in an ergonomic-enough way to play Tetris.
The PDF [1] containing the Lambda calculus term manages to hang/glitch/crash both Firefox's and macOS Preview's PDF renderer, which in itself is quite the achievement in portability.
Update: Nevermind, Firefox handles it perfectly, it just (probably wisely) disables seamless scrolling and I have to use the "next/previous" page buttons manually. macOS got there after a minute or two of loading with no UI indications.
[1] https://woodrush.github.io/lambda-8cc.pdf
Feel much safer!
Search for "pdfjs.enableScripting"
Set to false.