HTML renderer: Add option for stripping unsafe URLs in links and images

[jankucera]

Steps to reproduce the problem (provide example input):
Unlike the commonmark.js plugin where the option safe: true can be used, the commonmark-java does not offer this option and thus XSS attacks can be done.

example can be as simple as this javascript alert when you add it to the markdown:

[Click this!](javascript:alert('message');)

Expected behavior:
Javascript should be removed from or escaped in the markdown.

Actual behavior:
Javascript will be executed.

[robinst]

Your example is just plain text. Mind wrapping it in a code block so that I can try to reproduce this?

[robinst]

Looks like your example was:

[Click this!](javascript:alert('message');)

There's a note about this in the readme:

Note that this library doesn't try to sanitize the resulting HTML; that is the responsibility of the caller.

Having said that, I wouldn't be opposed to adding something like the commonmark.js safe: true option to HtmlRenderer.

If someone wants to do this, feel free to pick it up, it should be fairly straightforward.

[robinst]

Released in 0.14.0, thanks @VandorpeDavid!: https://github.com/atlassian/commonmark-java/blob/master/CHANGELOG.md#0140---2020-01-22

[JohnJyong]

Released in 0.14.0, thanks @VandorpeDavid!: https://github.com/atlassian/commonmark-java/blob/master/CHANGELOG.md#0140---2020-01-22

[Click this!](javascript:alert('message');) transform to <p>[Click this!](javascript:alert('message');)</p>,i think it should be better