Build mobile-friendly PDF viewer with URL parameter

[simonw]

A PDF viewer tool that accepts a URL via ?url= parameter or input field, uses PDF.js to render CORS-enabled PDFs with features including:

• Page navigation controls
• Zoom controls (auto, 50%-200%)
• Responsive mobile-friendly design
• URL synchronization (updates ?url= when loading)
• All pages rendered in a scrollable view

---

Claude Code for web prompt:

Build view-pdf.html - a tool that accepts a URL to a PDF file (and uses the one in ?url= if set , also updates that ?url= when one loads) which is served via CORS and loads PDF.js and uses it to display that PDF in a neat mobile-friendly way. Consult existing tools for examples of that library in case it's useful.

[claude]

Claude finished @simonw's task —— View job

---

PR Review: Mobile-friendly PDF viewer

Reviewing this pull request for code quality, security, and best practices.

Todo List:

• Read repository guidelines (CLAUDE.md)
• Analyze view-pdf.html implementation
• Check for existing similar tools for comparison
• Review code quality and structure
• Identify potential bugs and edge cases
• Assess performance considerations
• Evaluate security concerns
• Check mobile-friendliness and accessibility
• Provide constructive feedback and recommendations

Review Summary

This is a well-implemented, mobile-friendly PDF viewer that successfully builds upon the existing PDF.js usage patterns in the repository (similar to compare-pdfs.html). The code demonstrates solid understanding of modern web development practices with good mobile responsiveness.

✅ Strengths

Code Quality:

• Clean, well-structured HTML/CSS/JavaScript with logical separation of concerns
• Consistent coding style and comprehensive error handling
• Good use of modern JavaScript features (async/await, arrow functions, template literals)
• Proper PDF.js integration following established patterns from compare-pdfs.html

Mobile-First Design:

• Excellent responsive design with proper viewport meta tag
• Smart mobile adjustments: font-size: 16px prevents iOS zoom, increased toolbar padding
• Dynamic toolbar height adjustment (padding-top: 120px on mobile)
• Proper touch-friendly button sizing

User Experience:

• URL parameter synchronization with browser history
• Smooth scrolling and automatic page tracking
• Auto-scale mode with intelligent viewport calculation
• Clear loading states and comprehensive error messages

⚠️ Areas for Improvement

Security Concerns:

1. XSS Risk in Error Handling (view-pdf.html:288-289):

   mainContainer.innerHTML = `
       <div class="error">
           <h2>${title}</h2>    // ⚠️ Unescaped user input
           <p>${message}</p>    // ⚠️ Unescaped user input
       </div>`;

   Recommendation: Sanitize error messages or use textContent instead of innerHTML

2. URL Validation Missing (view-pdf.html:389):

   async function loadPdf(url) {
       if (!url.trim()) {  // ⚠️ Only checks for empty string

   Recommendation: Add URL validation to prevent malicious protocols

Performance Considerations:

1. Memory Management (view-pdf.html:343):

   renderedPages.clear(); // Only clears map, not canvas contexts

   Recommendation: Explicitly clean up canvas contexts to prevent memory leaks

2. Scroll Handler Optimization (view-pdf.html:487):
   The scroll handler uses 100ms debounce, which is good, but could benefit from throttling for better performance.

Accessibility Issues:

1. Missing ARIA Labels: Navigation buttons lack proper ARIA labels for screen readers
2. Keyboard Navigation: No keyboard shortcuts for common operations (spacebar for next page, etc.)
3. Color Contrast: Error text #ff6b6b on #525659 background may not meet WCAG AA standards

Edge Cases:

1. Large PDF Handling: No optimization for very large PDFs (could render all pages unnecessarily)
2. Network Failures: Should handle partial downloads and connection timeouts
3. Malformed PDFs: Error handling could be more specific for different PDF.js error types

🔧 Recommended Fixes

High Priority:

// Fix XSS vulnerability
function showError(title, message) {
    const errorDiv = document.createElement('div');
    errorDiv.className = 'error';
    
    const titleEl = document.createElement('h2');
    titleEl.textContent = title;  // Safe from XSS
    
    const messageEl = document.createElement('p');
    messageEl.textContent = message;  // Safe from XSS
    
    errorDiv.appendChild(titleEl);
    errorDiv.appendChild(messageEl);
    mainContainer.innerHTML = '';
    mainContainer.appendChild(errorDiv);
}

// Add URL validation
function isValidUrl(string) {
    try {
        const url = new URL(string);
        return ['http:', 'https:'].includes(url.protocol);
    } catch (_) {
        return false;
    }
}

Medium Priority:

• Add ARIA labels to navigation buttons
• Implement virtual scrolling for large PDFs
• Add keyboard navigation support
• Improve error specificity for different failure modes

📋 Test Coverage

The implementation lacks automated tests. Consider adding:

• Unit tests for utility functions (getAutoScale, getCurrentScale)
• Integration tests for PDF loading with mock responses
• Accessibility tests using tools like axe-core

🎯 Overall Assessment

This is a solid implementation that successfully meets the requirements. The code quality is high, mobile responsiveness is excellent, and it follows established patterns from the existing codebase. The main concerns are security-related (XSS vulnerability) and some accessibility gaps, but these are addressable with targeted fixes.

Recommendation: Approve with requested changes - Address the XSS vulnerability before merging, and consider the accessibility improvements for future iterations.

--- | Branch: claude/build-pdf-viewer-GbKfK

[simonw]

Nice: https://claude-build-pdf-viewer-gbkf.tools-b1q.pages.dev/view-pdf?url=https%3A%2F%2Fstatic.simonwillison.net%2Fstatic%2Fcors-allow%2F2025%2FPSF_2024_Annual_Impact_Report_V1.pdf