Description
Pandoc 2.15 introduced a sandbox mode with the --sanbox parameter. The announcement can be found here but the most important for us is as follows:
A new option --sandbox will ensure that pandoc's readers and writers do
no IO besides reading from the files specified on the command line and
writing the output. This restriction is enforced by the type system.
Anyone who uses pandoc to process untrusted data should use this
option (keeping in mind especially that some formats, such as RST,
Org, and LaTeX, have directives for including files). Note: filters, PDF
production, and custom writers are unaffected. If you use these features,
you are responsible for considering the security risks. Those who
maintain libraries (such as pypandoc) that run pandoc with a system
call may want to consider adding --sandbox to the parameters used by
default.
I agree with the above statement, and do believe that it needs to be inforced by default, with the option of disabling it (such as which a boolian to the convert calls).
With pandoc versions before 2.15, things will remain unchanged.