proper use of Misaka's HTML render flags (fix malicious HTML injection)

This commit now sanitizes *all* HTML tags written by the user (also
prevents auto-link to "unsafe" web protocols and images) as intended.

Fortunately because of Sundown's typography support, it did not affect
JS injection, but custom style tags and iframes.

PS: thanks to the anonymous submitter of a comment including a style tag
for 24pt, red font ;-)

isso/utils/__init__.py

@@ -121,9 +121,23 @@ class JSONResponse(Response):
 
 
 def markdown(text):
-    return misaka.html(text, extensions= misaka.EXT_STRIKETHROUGH
-        | misaka.EXT_SUPERSCRIPT | misaka.EXT_AUTOLINK
-        | misaka.HTML_SKIP_HTML  | misaka.HTML_SKIP_IMAGES | misaka.HTML_SAFELINK)
+    """Convert Markdown to (safe) HTML.
+
+    >>> markdown("*Ohai!*") # doctest: +IGNORE_UNICODE
+    '<p><em>Ohai!</em></p>'
+    >>> markdown("<script>alert('Onoe')</script>") # doctest: +IGNORE_UNICODE
+    '<p>alert(&#39;Onoe&#39;)</p>'
+    >>> markdown("http://example.org/ and sms:+1234567890") # doctest: +IGNORE_UNICODE
+    '<p><a href="http://example.org/">http://example.org/</a> and sms:+1234567890</p>'
+    """
+
+    # ~~strike through~~, sub script: 2^(nd) and http://example.org/ auto-link
+    exts = misaka.EXT_STRIKETHROUGH | misaka.EXT_SUPERSCRIPT | misaka.EXT_AUTOLINK
+
+    # remove HTML tags, skip <img> (for now) and only render "safe" protocols
+    html = misaka.HTML_SKIP_HTML | misaka.HTML_SKIP_IMAGES | misaka.HTML_SAFELINK
+
+    return misaka.html(text, extensions=exts, render_flags=html).strip("\n")
 
 
 def origin(hosts):