Make rendering safe by default.

Removes CMARK_OPT_SAFE from options.

Adds CMARK_OPT_UNSAFE, with the opposite meaning.
The new default behavior is to suppress raw HTML and
potentially dangerous links.  The CMARK_OPT_UNSAFE
option has to be set explicitly to prevent this.

--------------------------------------------------------
NOTE: This change will require modifications in
bindings for cmark and in most libraries and programs
that use cmark.
--------------------------------------------------------

Closes #239, #273.

Borrows heavily from @kivikakk's patch in github/cmark-gfm#123.

3 files changed, 14 insertions, 14 deletions

diff --git a/src/cmark.h b/src/cmark.h
index d1a65aa..ad9d4c4 100644
--- a/src/cmark.h
+++ b/src/cmark.h
@@ -552,13 +552,13 @@ char *cmark_render_latex(cmark_node *root, int options, int width);
  */
 #define CMARK_OPT_HARDBREAKS (1 << 2)
 
-/** Suppress raw HTML and unsafe links (`javascript:`, `vbscript:`,
+/** Render raw HTML and unsafe links (`javascript:`, `vbscript:`,
  * `file:`, and `data:`, except for `image/png`, `image/gif`,
- * `image/jpeg`, or `image/webp` mime types).  Raw HTML is replaced
- * by a placeholder HTML comment. Unsafe links are replaced by
- * empty strings.
+ * `image/jpeg`, or `image/webp` mime types).  By default,
+ * raw HTML is replaced by a placeholder HTML comment. Unsafe
+ * links are replaced by empty strings.
  */
-#define CMARK_OPT_SAFE (1 << 3)
+#define CMARK_OPT_UNSAFE (1 << 17)
 
 /** Render `softbreak` elements as spaces.
  */
diff --git a/src/html.c b/src/html.c
index a680e4a..a13d016 100644
--- a/src/html.c
+++ b/src/html.c
@@ -170,7 +170,7 @@ static int S_render_node(cmark_node *node, cmark_event_type ev_type,
 
   case CMARK_NODE_HTML_BLOCK:
     cr(html);
-    if (options & CMARK_OPT_SAFE) {
+    if (!(options & CMARK_OPT_UNSAFE)) {
       cmark_strbuf_puts(html, "<!-- raw HTML omitted -->");
     } else {
       cmark_strbuf_put(html, node->as.literal.data, node->as.literal.len);
@@ -242,7 +242,7 @@ static int S_render_node(cmark_node *node, cmark_event_type ev_type,
     break;
 
   case CMARK_NODE_HTML_INLINE:
-    if (options & CMARK_OPT_SAFE) {
+    if (!(options & CMARK_OPT_UNSAFE)) {
       cmark_strbuf_puts(html, "<!-- raw HTML omitted -->");
     } else {
       cmark_strbuf_put(html, node->as.literal.data, node->as.literal.len);
@@ -278,8 +278,8 @@ static int S_render_node(cmark_node *node, cmark_event_type ev_type,
   case CMARK_NODE_LINK:
     if (entering) {
       cmark_strbuf_puts(html, "<a href=\"");
-      if (!((options & CMARK_OPT_SAFE) &&
-            scan_dangerous_url(&node->as.link.url, 0))) {
+      if ((options & CMARK_OPT_UNSAFE) ||
+            !(scan_dangerous_url(&node->as.link.url, 0))) {
         houdini_escape_href(html, node->as.link.url.data,
                             node->as.link.url.len);
       }
@@ -296,8 +296,8 @@ static int S_render_node(cmark_node *node, cmark_event_type ev_type,
   case CMARK_NODE_IMAGE:
     if (entering) {
       cmark_strbuf_puts(html, "<img src=\"");
-      if (!((options & CMARK_OPT_SAFE) &&
-            scan_dangerous_url(&node->as.link.url, 0))) {
+      if ((options & CMARK_OPT_UNSAFE) ||
+            !(scan_dangerous_url(&node->as.link.url, 0))) {
         houdini_escape_href(html, node->as.link.url.data,
                             node->as.link.url.len);
       }
diff --git a/src/main.c b/src/main.c
index 1094fee..29360dc 100644
--- a/src/main.c
+++ b/src/main.c
@@ -38,7 +38,7 @@ void print_usage() {
   printf("  --sourcepos      Include source position attribute\n");
   printf("  --hardbreaks     Treat newlines as hard line breaks\n");
   printf("  --nobreaks       Render soft line breaks as spaces\n");
-  printf("  --safe           Suppress raw HTML and dangerous URLs\n");
+  printf("  --unsafe         Render raw HTML and dangerous URLs\n");
   printf("  --smart          Use smart punctuation\n");
   printf("  --validate-utf8  Replace UTF-8 invalid sequences with U+FFFD\n");
   printf("  --help, -h       Print usage information\n");
@@ -112,8 +112,8 @@ int main(int argc, char *argv[]) {
       options |= CMARK_OPT_NOBREAKS;
     } else if (strcmp(argv[i], "--smart") == 0) {
       options |= CMARK_OPT_SMART;
-    } else if (strcmp(argv[i], "--safe") == 0) {
-      options |= CMARK_OPT_SAFE;
+    } else if (strcmp(argv[i], "--unsafe") == 0) {
+      options |= CMARK_OPT_UNSAFE;
     } else if (strcmp(argv[i], "--validate-utf8") == 0) {
       options |= CMARK_OPT_VALIDATE_UTF8;
     } else if ((strcmp(argv[i], "--help") == 0) ||