BFO Publisher 1.4 released

It's been a long time since our last BFO Publisher release, but we put a new one out on Monday this week which adds a few features and tightens up some security aspects too.

Security

We've run a top-to-bottom security audit on BFO Publisher and tightened up a few areas which could potentially be exploited. All security-related aspects are now grouped together in our documentation to help customers keep track.

While we were largely blocking to XML External Entity injection, there were some cases where external entities were able to bypass our filters. Now fixed.
Egress filtering (which potentially prevents an HTML file loaded from A from accessing a file from B) has been rewritten to allow custom filters to be created, limiting (for-example) file access to only certain directories.
External entity resolution and XML include are now disabled by default; both are useful in some workflows but external entities in particular are complex and poorly understood, making them prone to abuse.

EA-Mail support, for archiving email to PDF

Since our previous release the EA-Mail specification has been published, and BFO Publisher now supports conversion of RFC 5322 Email to PDF files that are compliant with EA-Mail 1.0. We've got another article on this coming up, so watch this space

New "input" features: OpenType variable fonts, CSS nesting and cascade-layers, etc

New features supported on the input-format side of things are OpenType variable fonts, which are converted to "static snapshots" for embedding in a PDF. We've also added full support for CSS Nesting and CSS Cascade Layers, which together bring very significant improvements anyone writing CSS for large or complex documents. Both of these technologies are widely supported in browsers, and can now be applied to the world of CSS for print as well.

Our layout team has also been hard at work squashing bugs, in particular in the flex and multicolumn layout models which have seen many improvements. There has also been a focus on fixing crashes, and our "crash rate" when running the roughly 33,600 testcases from the Web Platform Test files has fallen from roughly forty in the previous release to just one in this release.

New "PDF" features: PDF/UA bulletproofing, attachments to file annotations or tags

When converting the tags to PDF, the PDF/UA output has benefited from changes to our underlying PDF Library; BFO is a member of the PDF/UA working group, so it's a matter of professional pride that our PDF/UA output is 100% valid and matches all the latest clarifications to the PDF/UA specification. We've certainly fixed a few edge-cases in this release, and have verified the results against both our own PDF/UA verifier and those of others in the industry.

It's now possible to radio-buttons and checkboxes completely in PDF, including :checked, :hover and :active. Along with normal buttons, radio-buttuns and checkboxes are static or non-variable fields where we can specify their appearance exactly (unlike text fields, where the field appearance has to be recreated by the PDF viewer as its value is updated).

Summary

There's more listed in the release notes, and the latest version is now live at publisher.bfo.com where you can download the package.

Tags: release

Posted by Mike Bremford on 07 Aug 2025 at 17:00

Previous Article Next Article New Comment Back to index

Name
Email
Subject