Disable external file access by default

mwilliamson · mwilliamson · commit c54aaeb43a79 · 2025-09-19T11:15:02.000+01:00
diff --git a/NEWS b/NEWS
@@ -2,7 +2,8 @@
 
 * Ignore style definitions using a style ID that has already been used.
 
-* Support disabling external file accesses using the externalFileAccess option.
+* Disable external file accesses by default. External file access can be enabled
+  using the externalFileAccess option.
 
 * Handle numbering levels defined without an index.
 
diff --git a/README.md b/README.md
@@ -377,9 +377,9 @@ Converts the source document to HTML.
      set `options.includeDefaultStyleMap` to `false`.
 
   * `externalFileAccess`: Source documents may reference files outside of the source document.
-    To disable access to any such external files during the conversion process,
-    set `options.externalFileAccess` to `false`.
-    This is highly recommended when converting untrusted user input.
+    Access to any such external files is disabled by default.
+    To enable access when converting trusted source documents,
+    set `options.externalFileAccess` to `true`.
 
   * `convertImage`: by default, images are converted to `<img>` elements with the source included inline in the `src` attribute.
     Set this option to an [image converter](#image-converters) to override the default behaviour.
@@ -541,8 +541,9 @@ For instance:
   and embed the HTML into your website,
   this may allow arbitrary files on the server to be read and exfiltrated.
 
-  To disable access to any such external files during the conversion process,
-  set `options.externalFileAccess` to `false`.
+  To avoid this issue, access to any such external files is disabled by default.
+  To enable access when converting trusted source documents,
+  set `options.externalFileAccess` to `true`.
 
 ### Document transforms
 
diff --git a/lib/options-reader.js b/lib/options-reader.js
@@ -63,7 +63,7 @@ var defaultStyleMap = exports._defaultStyleMap = [
 ];
 
 var standardOptions = exports._standardOptions = {
-    externalFileAccess: true,
+    externalFileAccess: false,
     transformDocument: identity,
     includeDefaultStyleMap: true,
     includeEmbeddedStyleMap: true
diff --git a/test/mammoth.tests.js b/test/mammoth.tests.js
@@ -309,27 +309,27 @@ test('src of inline images can be changed using readAsBuffer()', function() {
     });
 });
 
-test('images stored outside of document are included in output', function() {
+test('when external file access is enabled then images stored outside of document are included in output', function() {
     var docxPath = path.join(__dirname, "test-data/external-picture.docx");
-    return mammoth.convertToHtml({path: docxPath}).then(function(result) {
+    return mammoth.convertToHtml({path: docxPath}, {externalFileAccess: true}).then(function(result) {
         assert.equal(result.value, '<p><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKCAIAAAACUFjqAAAAAXNSR0IArs4c6QAAAAlwSFlzAAAOvgAADr4B6kKxwAAAABNJREFUKFNj/M+ADzDhlWUYqdIAQSwBE8U+X40AAAAASUVORK5CYII=" /></p>');
         assert.deepEqual(result.messages, []);
     });
 });
 
-test('error if images stored outside of document are specified when passing file without path', function() {
+test('when external file access is enabled then error if images stored outside of document are specified when passing file without path', function() {
     var docxPath = path.join(__dirname, "test-data/external-picture.docx");
     var buffer = fs.readFileSync(docxPath);
-    return mammoth.convertToHtml({buffer: buffer}).then(function(result) {
+    return mammoth.convertToHtml({buffer: buffer}, {externalFileAccess: true}).then(function(result) {
         assert.equal(result.value, '');
         assert.equal(result.messages[0].message, "could not find external image 'tiny-picture.png', path of input document is unknown");
         assert.equal(result.messages[0].type, "error");
     });
 });
 
-test('error if images stored outside of document are specified when external file access is disabled', function() {
+test('given external file access is disabled by default then error if images stored outside of document are specified', function() {
     var docxPath = path.join(__dirname, "test-data/external-picture.docx");
-    return mammoth.convertToHtml({path: docxPath}, {externalFileAccess: false}).then(function(result) {
+    return mammoth.convertToHtml({path: docxPath}).then(function(result) {
         assert.equal(result.value, '');
         assert.equal(result.messages[0].message, "could not read external image 'tiny-picture.png', external file access is disabled");
         assert.equal(result.messages[0].type, "error");
