Added `CMARK_OPT_SAFE` option and `--safe` command-line flag.

* Added `CMARK_OPT_SAFE`.  This option disables rendering of raw HTML
  and potentially dangerous links.
* Added `--safe` option in command-line program.
* Updated `cmark.3` man page.
* Added `scan_dangerous_url` to scanners.
* In HTML, suppress rendering of raw HTML and potentially dangerous
  links if `CMARK_OPT_SAFE`.  Dangerous URLs are those that begin
  with `javascript:`, `vbscript:`, `file:`, or `data:` (except for
  `image/png`, `image/gif`, `image/jpeg`, or `image/webp` mime types).
* Added `api_test` for `OPT_CMARK_SAFE`.
* Rewrote `README.md` on security.

1 files changed, 16 insertions, 0 deletions

diff --git a/api_test/main.c b/api_test/main.c
index 104371c..dfb5483 100644
--- a/api_test/main.c
+++ b/api_test/main.c
@@ -714,6 +714,21 @@ numeric_entities(test_batch_runner *runner)
 }
 
 static void
+test_safe(test_batch_runner *runner)
+{
+	// Test safe mode
+	static const char raw_html[] =
+		"<div>\nhi\n</div>\n\n<a>hi</a>\n[link](JAVAscript:alert('hi'))\n![image](file:my.js)\n";
+	char *html = cmark_markdown_to_html(raw_html,
+					    sizeof(raw_html) - 1,
+		                            CMARK_OPT_DEFAULT |
+					    CMARK_OPT_SAFE);
+	STR_EQ(runner, html, "<!-- raw HTML omitted -->\n<p><!-- raw HTML omitted -->hi<!-- raw HTML omitted -->\n<a href=\"\">link</a>\n<img src=\"\" alt=\"image\" /></p>\n",
+	       "input with raw HTML and dangerous links");
+	free(html);
+}
+
+static void
 test_md_to_html(test_batch_runner *runner, const char *markdown,
 		const char *expected_html, const char *msg)
 {
@@ -741,6 +756,7 @@ int main() {
 	line_endings(runner);
 	numeric_entities(runner);
 	test_cplusplus(runner);
+	test_safe(runner);
 
 	test_print_summary(runner);
 	retval =  test_ok(runner) ? 0 : 1;