Secret detection
Before any file is accepted, pdrive scans it for leaked credentials. API keys, access tokens, passwords, private keys, and other sensitive patterns are detected and rejected.
This runs on every upload, every paste, every API write. If it looks like a secret, the content is blocked before it reaches storage.
Plaintext validation
pdrive only stores plaintext. Binary files, invalid UTF-8 sequences, and non-text content are rejected at upload time. If a file isn't valid text, it doesn't get in.
Dangerous unicode stripping
Some unicode characters can change how text is displayed without being visible. Bidirectional override characters can make code appear to do something different than it actually does. Zero-width characters can hide content from human review.
pdrive strips these characters on input. The text you see is the text that's stored.
HTML sanitization
When user-generated content is rendered as HTML, pdrive removes dangerous elements. Iframes, script tags, form elements, and event handlers are stripped.
This applies to any context where stored content is displayed in a browser. The raw text is preserved, but the rendered output is sanitized.
Heading ID prefixing
Document headings generate HTML IDs for anchor linking. To prevent DOM injection, these IDs are prefixed with a namespace that isolates user content from application elements.
This stops a document from overriding page controls or interfering with pdrive's own interface elements.