v2.1.0 — Security hardening
Security hardening release. All local file access (images, stylesheets, includes) is now validated against the workspace root by default, blocking path traversal attacks.
Highlights
- Path traversal blocked: Images, stylesheets, and file includes are restricted to the workspace root. Traversal attempts (
../, symlinks, encoded variants) are blocked. - Safer PDF export: Temp files use unpredictable directories and are always cleaned up, even on failure.
- Chromium sandbox on by default:
--no-sandboxis no longer passed unconditionally. Linux falls back automatically only when the system reports sandbox unavailability. - Stronger HTML sanitization: All
on*event attributes stripped, not just a hardcoded subset.
Breaking change
Local file references outside the workspace root are blocked by default. Set markdown-pdf.allowPathsOutsideWorkspace: true in settings to restore the previous behaviour.
See CHANGELOG.md for full details.