chore(deps): update marked to ^0.7.0

[curbengh]

https://snyk.io/vuln/SNYK-JS-MARKED-451341

sanitize: and tables: options have been deprecated.

tables: is now part of gfm:.

Changelog

• Security

  • Sanitize paragraph and text tokens #1504
  • Fix ReDOS for links with backticks (issue #1493) #1515

• Breaking Changes

  • Deprecate sanitize and sanitizer options #1504
  • Move fences to CommonMark #1511
  • Move tables to GFM #1511
  • Remove tables option #1511
  • Single backtick in link text needs to be escaped #1515

• Fixes

  • Fix parentheses around a link #1509
  • Fix headings (issue #1510) #1511

• Tests

  • Run tests with correct options #1511

Closes #101

[coveralls]

Coverage remained the same at 83.721% when pulling ce94875 on weyusi:marked into e6752e5 on hexojs:master.

[curbengh]

Upstream recommends third-party packages (e.g. DOMPurify, sanitize-html or insane) to sanitize html.

I don't see the need of it in the context of server-side rendering, but can be considered if there are interests.

[tomap]

I believe you should keep the sanitize option as it applies to the plugin option, not marked.
I don't see why you removed it?

[curbengh]

I think it applies to both plugin and marked. I'll do some more testing.

[curbengh]

I can confirm sanitize also applies to marked,

I restored plugin's sanitize, but renamed it to sanitizeUrl to avoid confusion.

[curbengh]

I'm still not sure what these lines do (which I restored in the last commit),

hexo-renderer-marked/lib/renderer.js

Lines 41 to 47 in e6752e5

	try {
	prot = decodeURIComponent(unescape(href))
	.replace(/[^\w:]/g, '')
	.toLowerCase();
	} catch (e) {
	return '';
	}

I tried [test-link](http://exAmple.com/%D1%88%D0%B5%D0%BB%D0%BB%D1%8B), but it didn't convert to lowercase nor the rest decoded.

Above line added by @NoahDragon #34

---

Edit: I got it working through

    href = decodeURIComponent(href)
          .replace(/[^\w:\/\.]/g, '')
          .toLowerCase() || '';

not sure if it's what the original code intended.

[tomap]

LGTM. It should trigger a minor version update when we publish a new version (due to change of behavior)

[curbengh]

It should be a major version due to #98.

[tomap]

Agreed. I merge

[tomap]

New version 2.0.0-RC1 published
https://www.npmjs.com/package/hexo-renderer-marked/v/2.0.0-rc1

[tomap]

Here is my test tomap/hexo-theme-minidyne-demo#2
and the result https://5d43cc4992e9e10008aa5fd0--hexo-theme-minidyne-demo.netlify.com/2016/11/12/weixin-app/
compared to the original https://hexo-theme-minidyne-demo.netlify.com/2016/11/12/weixin-app/