From 5ca58b4bdefc8e938200dcf92ef5c1ae3c45be2b Mon Sep 17 00:00:00 2001
From: Alex Deschamps <alexis.deschamps@gmail.com>
Date: Fri, 26 Mar 2021 18:21:03 -0600
Subject: [PATCH] switch default html to false (safer)

---
 lib/presets/commonmark.js | 2 +-
 test/commonmark.js        | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/presets/commonmark.js b/lib/presets/commonmark.js
index 7066553..e1fc429 100644
--- a/lib/presets/commonmark.js
+++ b/lib/presets/commonmark.js
@@ -5,7 +5,7 @@
 
 module.exports = {
   options: {
-    html:         true,         // Enable HTML tags in source
+    html:         false,        // Enable HTML tags in source
     xhtmlOut:     true,         // Use '/' to close single tags (<br />)
     breaks:       false,        // Convert '\n' in paragraphs into <br>
     langPrefix:   'language-',  // CSS language prefix for fenced blocks
diff --git a/test/commonmark.js b/test/commonmark.js
index d0f901e..5c963bd 100644
--- a/test/commonmark.js
+++ b/test/commonmark.js
@@ -33,3 +33,11 @@ describe('CommonMark', function () {
 
   generate(p.join(__dirname, 'fixtures/commonmark/good.txt'), md);
 });
+
+describe('CommonMark defaults', function () {
+  var md = require('../')('commonmark');
+
+  it('defaults to the safe html false options', function () {
+    assert.strictEqual(md.render('<script>alert();</script>'), '<p>&lt;script&gt;alert();&lt;/script&gt;</p>\n');
+  });
+});