Minimal, secure Markdown → PDF editor. Split editor + live A4 preview, exports via the browser's native PDF engine.
- Split layout — editor on the left, A4 preview on the right.
- Real pagination — the preview measures content and renders one card per page, matching the printed output.
- Line numbers — synced gutter in the editor.
- Print-ready PDF —
Export PDFopens the browser's native print-to-PDF, with consistent margins on every sheet and clean page breaks. - Sanitized rendering — no
javascript:URIs, no inline event handlers, linkrel="noopener noreferrer nofollow". - Autosave — local-only via
localStorage. Nothing leaves your machine.
| Layer | Choice |
|---|---|
| Framework | SvelteKit (Svelte 5, runes mode) |
| Language | TypeScript |
| Bundler | Vite |
| Package manager | pnpm |
| Markdown parser | marked |
| HTML sanitizer | DOMPurify |
| Fonts | Inter, Source Sans 3, Space Mono |
pnpm install
pnpm devThen open http://localhost:5173.
pnpm build # production build
pnpm preview # preview the production build
pnpm check # run svelte-check- XSS: all rendered HTML passes through
DOMPurifywith a strict tag and attribute allowlist (src/lib/markdown.ts). - URI scheme allowlist: only
http,https,mailto, and inlinedata:image/*are permitted. - Link hardening: every
<a>is rewritten withtarget="_blank"+rel="noopener noreferrer nofollow". - CSP: applied in production via
src/hooks.server.ts—default-src 'self',script-src 'self',frame-ancestors 'none',object-src 'none'. - Other headers:
X-Content-Type-Options: nosniff,X-Frame-Options: DENY,Referrer-Policy: strict-origin-when-cross-origin,Permissions-Policyrestricting camera/mic/geo.
In the browser print dialog, expand More settings and uncheck Headers and footers to remove any URL/date/host band the browser may still inject in some corporate builds.
MIT — see LICENSE.