[stevekemp]

I've reported many bugs in projects that turn "URL" to "PDF".

You need to be sure you're limiting the kind of URLs that people can submit. For example ensure that nobody makes a PDF of :

* file:////etc/passwd

* http://169.254.169.254/latest/meta-data/local-hostname

* http://localhost:8080/

I'd say over half of the "PDF-creation" projects posted here have been vulnerable to some/all of those attacks. (I continue to be surprised at how many web-to-pdf services exist. I guess there must be a lot of people paying for them?)

[cjimti]

These are great security suggestions and I should make some clarifications on the intended use. We use txPDF as a backend Microservice and not open to direct public use. It is good for automating report generation from other portions of a larger system.

[jarofgreen]

Also that people can't use them to mine crypto currency. Seen owner of one such project blog about how that happened to them.

[cjr]

I'm the owner/dev of one of those paid services, and yes, competition is fierce, but people do still pay for the convenience of not having to manage it themselves. One look at the issue count of puppeteer/phantomjs/selenium/slimer... tells its own story.