Skip to content

v2.1.0 — Security hardening

Choose a tag to compare

@AUAggy AUAggy released this 17 Mar 23:45
1c99732

Security hardening release. All local file access (images, stylesheets, includes) is now validated against the workspace root by default, blocking path traversal attacks.

Highlights

  • Path traversal blocked: Images, stylesheets, and file includes are restricted to the workspace root. Traversal attempts (../, symlinks, encoded variants) are blocked.
  • Safer PDF export: Temp files use unpredictable directories and are always cleaned up, even on failure.
  • Chromium sandbox on by default: --no-sandbox is no longer passed unconditionally. Linux falls back automatically only when the system reports sandbox unavailability.
  • Stronger HTML sanitization: All on* event attributes stripped, not just a hardcoded subset.

Breaking change

Local file references outside the workspace root are blocked by default. Set markdown-pdf.allowPathsOutsideWorkspace: true in settings to restore the previous behaviour.

See CHANGELOG.md for full details.