If you discover a security vulnerability in any of these tools, please report it responsibly.
Do not open a public issue. Instead, contact the maintainer:
Please include:
- Which tool is affected (md, pixel, or json)
- A description of the vulnerability
- Steps to reproduce
- Potential impact
You should receive a response within 48 hours.
All tools in this repo are fully client-side applications. No data is ever sent to a server. Security concerns typically involve:
- XSS via rendered content — all HTML output is sanitized with DOMPurify
- Mermaid diagram injection (MD) — Mermaid runs with
securityLevel: 'strict' - Malicious shared links — compressed content is sanitized after decompression
Only the latest version on main is supported. There are no versioned releases at this time.