switch default html to false (safer)

lib/presets/commonmark.js

@@ -5,7 +5,7 @@
 
 module.exports = {
   options: {
-    html:         true,         // Enable HTML tags in source
+    html:         false,        // Enable HTML tags in source
     xhtmlOut:     true,         // Use '/' to close single tags (<br />)
     breaks:       false,        // Convert '\n' in paragraphs into <br>
     langPrefix:   'language-',  // CSS language prefix for fenced blocks

test/commonmark.js

@@ -33,3 +33,11 @@ describe('CommonMark', function () {
 
   generate(p.join(__dirname, 'fixtures/commonmark/good.txt'), md);
 });
+
+describe('CommonMark defaults', function () {
+  var md = require('../')('commonmark');
+
+  it('defaults to the safe html false options', function () {
+    assert.strictEqual(md.render('<script>alert();</script>'), '<p>&lt;script&gt;alert();&lt;/script&gt;</p>\n');
+  });
+});