外掛標籤
開發者團隊
原文外掛簡介
PDF Embed renders PDFs directly in your pages using PDF.js: no plugins for the visitor, no Google Docs iframes, no third-party trackers. PDF.js is bundled inside the plugin and served from your own site, so no third-party requests are ever made.
Built by Fren at Strands Services Ltd. Support: [email protected].
Features
Continuous vertical scroll across all pages, with lazy rendering via IntersectionObserver
Page navigation, zoom, fit-to-width, download, and print controls (these toggle which buttons render in the toolbar; they’re a UI choice, not access control; see the Security section)
Global sizing modes: Responsive, Fixed, or Fixed Aspect Ratio (A4, Letter, 16:9, 4:3, 1:1, or custom)
Light, Dark, or Auto color mode (Auto follows the visitor’s OS/browser prefers-color-scheme)
Per-mode color customization (with alpha/transparency support on the Page Shadow field), plus a safely-scoped Custom CSS field for power users
Live preview on the settings page
Editors: Gutenberg block, Classic Editor TinyMCE button, Enfold ALB element, Elementor widget, WPBakery element, and [pdf_embed] shortcode
Media Library picker filtered to PDFs only
Translation-ready (English + Hungarian included)
Theme-overridable viewer template
Shortcode
[pdf_embed id="123" sizing="responsive" download="yes" navigation="yes" zoom="yes"]
All attributes are optional except id. Per-embed attrs override the global defaults on the Sizing and Appearance tabs.
Security
Frontend visitors have no attack surface: no REST endpoints, no AJAX handlers, no form submissions.
Shortcode attribute sanitizers reject any value outside strict whitelists (units, hex/rgba colors, W:H ratios).
Attachment access is gated by current_user_can('read_post', $id); contributors cannot embed other users’ private PDFs.
pdfjsLib.getDocument() is called with isEvalSupported: false to prevent font-based JS execution.
All output is routed through WordPress’s escape functions (esc_html, esc_attr, esc_url, wp_kses, wp_print_inline_script_tag). The release pipeline includes a check that fails the build if a phpcs:ignore for the output-escaping sniff ever appears in shipped code.
Canvas size is clamped to ~268M pixels per page. Page count is capped at 2000 per embed. Both prevent client-side DoS from hostile PDFs.
PDF.js ships inside the plugin and loads only from your own domain; no third-party servers are contacted.
Debug information (attempted mime, extension) is only emitted when WP_DEBUG is on.
Content-Security-Policy: the plugin emits one inline