Make rendering safe by default.

Removes CMARK_OPT_SAFE from options.

Adds CMARK_OPT_UNSAFE, with the opposite meaning.
The new default behavior is to suppress raw HTML and
potentially dangerous links.  The CMARK_OPT_UNSAFE
option has to be set explicitly to prevent this.

--------------------------------------------------------
NOTE: This change will require modifications in
bindings for cmark and in most libraries and programs
that use cmark.
--------------------------------------------------------

Closes #239, #273.

Borrows heavily from @kivikakk's patch in github/cmark-gfm#123.

1 files changed, 6 insertions, 6 deletions

diff --git a/README.md b/README.md
index bd3694e..5f31ccc 100644
--- a/README.md
+++ b/README.md
@@ -156,14 +156,14 @@ be found in the man pages in the `man` subdirectory.
 Security
 --------
 
-By default, the library will pass through raw HTML and potentially
+By default, the library will scrub raw HTML and potentially
 dangerous links (`javascript:`, `vbscript:`, `data:`, `file:`).
 
-It is recommended that users either disable this potentially unsafe
-feature by using the option `CMARK_OPT_SAFE` (or `--safe` with the
-command-line program), or run the output through an HTML sanitizer
-to protect against
-[XSS attacks](http://en.wikipedia.org/wiki/Cross-site_scripting).
+To allow these, use the option `CMARK_OPT_UNSAFE` (or
+`--unsafe`) with the command line program. If doing so, we
+recommend you use a HTML sanitizer specific to your needs to
+protect against [XSS
+attacks](http://en.wikipedia.org/wiki/Cross-site_scripting).
 
 Contributing
 ------------