Don't listen on any interface by default.

Rob--W · Rob--W · commit 93fe32fe0881 · 2016-05-30T11:06:26.000+02:00
The previous default is a huge security hazard...
diff --git a/README.md b/README.md
@@ -14,3 +14,11 @@ REST API
 | Close Webpage    | DELETE      | http://localhost:\<port\> | |
 
 By default, `<port>` is 8090
+
+Environment variables
+---------------------
+
+* `INSTANT_MARKDOWN_OPEN_TO_THE_WORLD=1` - by default, the server only listens
+  on localhost. To make the server available to others in your network, set this
+  environment variable to a non-empty value. Only use this setting on trusted
+  networks!
diff --git a/instant-markdown-d b/instant-markdown-d
@@ -10,7 +10,16 @@ var server = require('http').createServer(httpHandler),
     server,
     socket;
 
-server.listen(8090);
+// WARNING: By setting this environment variable, anyone on your network may
+// run arbitrary code in your browser and read arbitrary files in the working
+// directory of the open file!
+if (process.env.INSTANT_MARKDOWN_OPEN_TO_THE_WORLD) {
+  // Listen on any interface.
+  server.listen(8090);
+} else {
+  // Listen locally.
+  server.listen(8090, '127.0.0.1');
+}
 
 var md = new MarkdownIt({
   html: true,
