Make rendering safe by default.

Removes CMARK_OPT_SAFE from options.

Adds CMARK_OPT_UNSAFE, with the opposite meaning.
The new default behavior is to suppress raw HTML and
potentially dangerous links.  The CMARK_OPT_UNSAFE
option has to be set explicitly to prevent this.

--------------------------------------------------------
NOTE: This change will require modifications in
bindings for cmark and in most libraries and programs
that use cmark.
--------------------------------------------------------

Closes #239, #273.

Borrows heavily from @kivikakk's patch in github/cmark-gfm#123.

1 files changed, 3 insertions, 2 deletions

diff --git a/api_test/main.c b/api_test/main.c
index 1f1f77f..83afbff 100644
--- a/api_test/main.c
+++ b/api_test/main.c
@@ -177,7 +177,8 @@ static void accessors(test_batch_runner *runner) {
   OK(runner, cmark_node_set_literal(string, literal + sizeof("prefix")),
      "set_literal suffix");
 
-  char *rendered_html = cmark_render_html(doc, CMARK_OPT_DEFAULT);
+  char *rendered_html = cmark_render_html(doc,
+		          CMARK_OPT_DEFAULT | CMARK_OPT_UNSAFE);
   static const char expected_html[] =
       "<h3>Header</h3>\n"
       "<ol start=\"3\">\n"
@@ -859,7 +860,7 @@ static void test_safe(test_batch_runner *runner) {
                                  "a>\n[link](JAVAscript:alert('hi'))\n![image]("
                                  "file:my.js)\n";
   char *html = cmark_markdown_to_html(raw_html, sizeof(raw_html) - 1,
-                                      CMARK_OPT_DEFAULT | CMARK_OPT_SAFE);
+                                      CMARK_OPT_DEFAULT);
   STR_EQ(runner, html, "<!-- raw HTML omitted -->\n<p><!-- raw HTML omitted "
                        "-->hi<!-- raw HTML omitted -->\n<a "
                        "href=\"\">link</a>\n<img src=\"\" alt=\"image\" "