print in commands now automatically converts to string, untrusted partials cannot include beyond PWD.

command.py

@@ -68,10 +68,10 @@ def executeCommand(source, element: Element, ctx: Context) -> List[Element]:
 		if mode == 'elements':
 			raise SyntaxError("Cannot use `print` and `appendChild` in one command at the same time.")
 		mode = 'text'
-		text += s
+		text += str(s)
 
 	def println(s: str=""):
-		print(s+"\n")
+		print(str(s)+"\n")
 
 	def appendChild(e: Element):
 		nonlocal mode, content

transform.py

@@ -57,6 +57,11 @@ def transform(e: Element, c: Context) -> Element:
 		if (isinstance(e, Div) and "partial" in e.attributes)\
 		  or (isinstance(e, CodeBlock) and "markdown" in e.classes and "group" in e.classes):
 			if isinstance(e, Div):
+				if not c.trusted: # If we're in an untrusted context, we shouldn't allow inclusion of files outside the PWD.
+					full_path = os.path.abspath(c.dir + "/" + e.attributes["partial"])
+					pwd = os.path.abspath(".")
+					if os.path.commonpath([full_path, pwd]) != os.path.commonpath([pwd]):
+						return nullify(e)
 				text = open(c.dir + "/" + e.attributes["partial"], "r").read()
 				path = c.dir + "/" + e.attributes["partial"]
 			else: