Add sanitize HTML

[jfcere]

Fixes #65

As of marked.js v0.3.19, sanitization breaks table alignment as it removes style attributes (which are XSS vulnerable).

They've changed the use of style="text-align: ..." attribute to use align="..." attribute instead but although the PR has been merged, it has not been released yet.

[pouellet]

@jfcere I'm not sure if you were still planning on merging this one, but it looks like the markedjs team released the fix for the align: https://github.com/markedjs/marked/releases/tag/0.4.0. I have to say that I would feel more secure if the Angular DomSanitizer was baked directly in the ngx-markdown library.

(Thanks for the great work!)

[coveralls]

Coverage increased (+0.1%) to 94.04% when pulling a44b56e on sanitize-html into 7b3e532 on master.

[pouellet]

Merci!

[jfcere]

@pouellet sorry I have to revert the merge... i've been too quick on this one.

The main reason of reverting is that there is already a sanitize option available through MarkedOptions that use marked.js built-in sanitization and it can be turned on or off. In this PR I forced sanitization and this might be too restrictive for some people. I would have to make it possible to use or not Angular sanitization.

My second reason is that I find it confusing of having two ways of sanitizing html in the package. I red in this issue markedjs/marked#1232 that they are planning to remove it but until then I'll have to think it through...

Note that I did some tests and haven't noticed any difference between Angular sanitization and marked.js built-in feature ... but I didn't go into the darkest XSS vulnerabilities.

[pouellet]

Fair enough, thanks for the heads up. I'm also currently using the marked sanitize flag and it works well as far as I can tell.