From b1135edccac27d7ae5db0825e7dbda316bc69e2b Mon Sep 17 00:00:00 2001
From: DocFast Bot <openclawd@docfast.dev>
Date: Mon, 16 Feb 2026 15:32:34 +0000
Subject: [PATCH] security: disable JavaScript execution in Puppeteer for PDF
 generation

---
 src/services/browser.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/services/browser.ts b/src/services/browser.ts
index 662e8b7..f250eb2 100644
--- a/src/services/browser.ts
+++ b/src/services/browser.ts
@@ -232,6 +232,7 @@ export async function renderPdf(
 ): Promise<Buffer> {
   const { page, instance } = await acquirePage();
   try {
+    await page.setJavaScriptEnabled(false);
     const result = await Promise.race([
       (async () => {
         await page.setContent(html, { waitUntil: "domcontentloaded", timeout: 15_000 });
@@ -269,6 +270,7 @@ export async function renderUrlPdf(
 ): Promise<Buffer> {
   const { page, instance } = await acquirePage();
   try {
+    await page.setJavaScriptEnabled(false);
     const result = await Promise.race([
       (async () => {
         await page.goto(url, {