From 0879fa412a2d4a417aeca5cd5092a8f86531e7ef Mon Sep 17 00:00:00 2001
From: Andris Reinman <andris@kreata.ee>
Date: Sun, 19 Mar 2017 14:06:34 +0200
Subject: [PATCH] force template html as html code, not an url or file path
 ensure that external resources are not loaded by jsdom

---
 lib/tools.js | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/tools.js b/lib/tools.js
index edd43296c..6dbf3a44b 100644
--- a/lib/tools.js
+++ b/lib/tools.js
@@ -199,8 +199,13 @@ function prepareHtml(html, callback) {
     if (!(html || '').toString().trim()) {
         return callback(null, false);
     }
-
-    jsdom.env(html, (err, win) => {
+    jsdom.env(false, false, {
+        html,
+        features: {
+            FetchExternalResources: false, // disables resource loading over HTTP / filesystem
+            ProcessExternalResources: false // do not execute JS within script blocks
+        }
+    }, (err, win) => {
         if (err) {
             return callback(err);
         }