[Security] JS injection through attributes like onclick/onerror/etc

[SystemParadox]

With html: true remarkable strips <script> but does not strip attributes like onclick/onerror/etc, so you can do things like this:

<img src="invalid.jpg" onerror="alert('Injected!')" />

This is obviously an XSS vulnerability.

[SystemParadox]

There appear to be other attacks as well (see https://github.com/showdownjs/showdown/wiki/Markdown's-XSS-Vulnerability-(and-how-to-mitigate-it)). It seems that markdown is inherantly XSS unsafe which is quite alarming, particularly because many markdown libraries don't point this out.