From 6b4d7923dbd990cf378914a17c3798bf265a19d8 Mon Sep 17 00:00:00 2001
From: KT <koczkatamas@gmail.com>
Date: Thu, 27 Jun 2019 01:07:13 +0200
Subject: [PATCH 01/11] add deprecation warning for sanitize option

---
 lib/marked.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/marked.js b/lib/marked.js
index 86286794e5..bd69ca29d0 100644
--- a/lib/marked.js
+++ b/lib/marked.js
@@ -1536,6 +1536,12 @@ function findClosingBracket(str, b) {
   return -1;
 }
 
+function checkSanitizeDeprecation(opt) {
+  if (opt && opt.sanitize && !opt.silent) {
+    console.warn("marked(): sanitize and sanitizer parameters are deprecated since version 0.6.3 and will be removed from the next major version. Please use an external library, e.g. DOMPurify for your sanitization needs.");
+  }
+}
+
 /**
  * Marked
  */
@@ -1557,6 +1563,7 @@ function marked(src, opt, callback) {
     }
 
     opt = merge({}, marked.defaults, opt || {});
+    checkSanitizeDeprecation(opt);
 
     var highlight = opt.highlight,
         tokens,
@@ -1621,6 +1628,7 @@ function marked(src, opt, callback) {
   }
   try {
     if (opt) opt = merge({}, marked.defaults, opt);
+    checkSanitizeDeprecation(opt);
     return Parser.parse(Lexer.lex(src, opt), opt);
   } catch (e) {
     e.message += '\nPlease report this to https://github.com/markedjs/marked.';

From 08389dba3c50c4c6f41625a680df15cb05cc3fd0 Mon Sep 17 00:00:00 2001
From: KT <koczkatamas@gmail.com>
Date: Thu, 27 Jun 2019 01:08:58 +0200
Subject: [PATCH 02/11] harden sanitization

---
 lib/marked.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/marked.js b/lib/marked.js
index bd69ca29d0..240c7c16e6 100644
--- a/lib/marked.js
+++ b/lib/marked.js
@@ -434,7 +434,7 @@ Lexer.prototype.token = function(src, top) {
           : 'html',
         pre: !this.options.sanitizer
           && (cap[1] === 'pre' || cap[1] === 'script' || cap[1] === 'style'),
-        text: cap[0]
+        text: this.options.sanitize ? (this.options.sanitizer ? this.options.sanitizer(cap[0]) : escape(cap[0])) : cap[0]
       });
       continue;
     }
@@ -847,7 +847,7 @@ InlineLexer.prototype.output = function(src) {
     if (cap = this.rules.text.exec(src)) {
       src = src.substring(cap[0].length);
       if (this.inRawBlock) {
-        out += this.renderer.text(cap[0]);
+        out += this.renderer.text(this.options.sanitize ? (this.options.sanitizer ? this.options.sanitizer(cap[0]) : escape(cap[0])) : cap[0]);
       } else {
         out += this.renderer.text(escape(this.smartypants(cap[0])));
       }

From 506704a5fed4399281eceea2951e484e4d143c40 Mon Sep 17 00:00:00 2001
From: KT <koczkatamas@gmail.com>
Date: Thu, 27 Jun 2019 01:09:34 +0200
Subject: [PATCH 03/11] add test cases for sanitization hardening

---
 test/specs/run-spec.js                                   | 3 +++
 test/specs/security/sanitizer_bypass.html                | 6 ++++++
 test/specs/security/sanitizer_bypass.md                  | 9 +++++++++
 test/specs/security/sanitizer_bypass_remove_generic.html | 2 ++
 test/specs/security/sanitizer_bypass_remove_generic.md   | 6 ++++++
 test/specs/security/sanitizer_bypass_remove_script.html  | 1 +
 test/specs/security/sanitizer_bypass_remove_script.md    | 5 +++++
 test/specs/security/sanitizer_bypass_remove_tag.html     | 1 +
 test/specs/security/sanitizer_bypass_remove_tag.md       | 5 +++++
 9 files changed, 38 insertions(+)
 create mode 100644 test/specs/security/sanitizer_bypass.html
 create mode 100644 test/specs/security/sanitizer_bypass.md
 create mode 100644 test/specs/security/sanitizer_bypass_remove_generic.html
 create mode 100644 test/specs/security/sanitizer_bypass_remove_generic.md
 create mode 100644 test/specs/security/sanitizer_bypass_remove_script.html
 create mode 100644 test/specs/security/sanitizer_bypass_remove_script.md
 create mode 100644 test/specs/security/sanitizer_bypass_remove_tag.html
 create mode 100644 test/specs/security/sanitizer_bypass_remove_tag.md

diff --git a/test/specs/run-spec.js b/test/specs/run-spec.js
index 2702c76f68..b6d0c17e27 100644
--- a/test/specs/run-spec.js
+++ b/test/specs/run-spec.js
@@ -16,6 +16,8 @@ function runSpecs(title, dir, showCompletionTable, options) {
           spec.options = Object.assign({}, options, (spec.options || {}));
           const example = (spec.example ? ' example ' + spec.example : '');
           const passFail = (spec.shouldFail ? 'fail' : 'pass');
+          if (spec.options.sanitizerRemoveHtml)
+            spec.options.sanitizer = () => '';
           (spec.only ? fit : it)('should ' + passFail + example, () => {
             const before = process.hrtime();
             if (spec.shouldFail) {
@@ -40,3 +42,4 @@ runSpecs('CommonMark', './commonmark', true, { headerIds: false });
 runSpecs('Original', './original', false, { gfm: false });
 runSpecs('New', './new');
 runSpecs('ReDOS', './redos');
+runSpecs('Security', './security', false, { silent: true /* no deprecation warnings */ });
\ No newline at end of file
diff --git a/test/specs/security/sanitizer_bypass.html b/test/specs/security/sanitizer_bypass.html
new file mode 100644
index 0000000000..fb35223cf0
--- /dev/null
+++ b/test/specs/security/sanitizer_bypass.html
@@ -0,0 +1,6 @@
+<p>AAA&lt;script&gt; &lt;img &lt;script&gt; src=x onerror=alert(1) /&gt;BBB</p>
+
+<p>AAA&lt;sometag&gt; &lt;img &lt;sometag&gt; src=x onerror=alert(1)BBB</p>
+
+<p>&lt;a&gt;a2&lt;a2t&gt;a2&lt;/a&gt; b &lt;c&gt;c&lt;/c&gt; d</p>
+<h1 id="text"><img src="URL" alt="text"></h1>
diff --git a/test/specs/security/sanitizer_bypass.md b/test/specs/security/sanitizer_bypass.md
new file mode 100644
index 0000000000..99091d0198
--- /dev/null
+++ b/test/specs/security/sanitizer_bypass.md
@@ -0,0 +1,9 @@
+---
+sanitize: true
+---
+AAA<script> <img <script> src=x onerror=alert(1) />BBB
+
+AAA<sometag> <img <sometag> src=x onerror=alert(1)BBB
+
+<a>a2<a2t>a2</a> b <c>c</c> d
+# ![text](URL)
\ No newline at end of file
diff --git a/test/specs/security/sanitizer_bypass_remove_generic.html b/test/specs/security/sanitizer_bypass_remove_generic.html
new file mode 100644
index 0000000000..272825867d
--- /dev/null
+++ b/test/specs/security/sanitizer_bypass_remove_generic.html
@@ -0,0 +1,2 @@
+<p>a2a2 b c d</p>
+<h1 id="text"><img src="URL" alt="text"></h1>
diff --git a/test/specs/security/sanitizer_bypass_remove_generic.md b/test/specs/security/sanitizer_bypass_remove_generic.md
new file mode 100644
index 0000000000..41aca6277c
--- /dev/null
+++ b/test/specs/security/sanitizer_bypass_remove_generic.md
@@ -0,0 +1,6 @@
+---
+sanitize: true
+sanitizerRemoveHtml: true
+---
+<a>a2<a2t>a2</a> b <c>c</c> d
+# ![text](URL)
\ No newline at end of file
diff --git a/test/specs/security/sanitizer_bypass_remove_script.html b/test/specs/security/sanitizer_bypass_remove_script.html
new file mode 100644
index 0000000000..85472db28e
--- /dev/null
+++ b/test/specs/security/sanitizer_bypass_remove_script.html
@@ -0,0 +1 @@
+<p>AAA</p>
diff --git a/test/specs/security/sanitizer_bypass_remove_script.md b/test/specs/security/sanitizer_bypass_remove_script.md
new file mode 100644
index 0000000000..9334070021
--- /dev/null
+++ b/test/specs/security/sanitizer_bypass_remove_script.md
@@ -0,0 +1,5 @@
+---
+sanitize: true
+sanitizerRemoveHtml: true
+---
+AAA<script> <img <script> src=x onerror=alert(1) />BBB
diff --git a/test/specs/security/sanitizer_bypass_remove_tag.html b/test/specs/security/sanitizer_bypass_remove_tag.html
new file mode 100644
index 0000000000..68d5c23d44
--- /dev/null
+++ b/test/specs/security/sanitizer_bypass_remove_tag.html
@@ -0,0 +1 @@
+<p>AAA &lt;img  src=x onerror=alert(1)BBB</p>
diff --git a/test/specs/security/sanitizer_bypass_remove_tag.md b/test/specs/security/sanitizer_bypass_remove_tag.md
new file mode 100644
index 0000000000..fd387b1248
--- /dev/null
+++ b/test/specs/security/sanitizer_bypass_remove_tag.md
@@ -0,0 +1,5 @@
+---
+sanitize: true
+sanitizerRemoveHtml: true
+---
+AAA<sometag> <img <sometag> src=x onerror=alert(1)BBB

From 0c38172e31d4e818d19a3bfd14f45d5605a2b76b Mon Sep 17 00:00:00 2001
From: KT <koczkatamas@gmail.com>
Date: Thu, 27 Jun 2019 01:25:55 +0200
Subject: [PATCH 04/11] add sanitize deprecation warnings to docs

---
 docs/README.md         | 2 +-
 docs/USING_ADVANCED.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/README.md b/docs/README.md
index b31e52c09a..56c21d3862 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -25,7 +25,7 @@ These documentation pages are also rendered using marked 💯
 
 <h2 id="usage">Usage</h2>
 
-### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML by default 🚨
+### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML. Please use e.g. [DOMPurify](https://github.com/cure53/DOMPurify) to sanitize the HTML output! 🚨
 
 **CLI**
 
diff --git a/docs/USING_ADVANCED.md b/docs/USING_ADVANCED.md
index 7978e33083..d6ac4ccd22 100644
--- a/docs/USING_ADVANCED.md
+++ b/docs/USING_ADVANCED.md
@@ -51,7 +51,7 @@ console.log(marked(markdownString));
 |mangle      |`boolean` |`true`   |v0.3.4   |If true, autolinked email address is escaped with HTML character references.|
 |pedantic    |`boolean` |`false`  |v0.2.1   |If true, conform to the original `markdown.pl` as much as possible. Don't fix original markdown bugs or behavior. Turns off and overrides `gfm`.|
 |renderer    |`object`  |`new Renderer()`|v0.3.0|An object containing functions to render tokens to HTML. See [extensibility](USING_PRO.md) for more details.|
-|sanitize    |`boolean` |`false`  |v0.2.1   |If true, sanitize the HTML passed into `markdownString` with the `sanitizer` function.|
+|sanitize    |`boolean` |`false`  |v0.2.1   |If true, sanitize the HTML passed into `markdownString` with the `sanitizer` function.<br>**Warning**: This feature is deprecated and it should NOT be used as it cannot be considered as a security boundary. Please use e.g. [DOMPurify](https://github.com/cure53/DOMPurify) instead! |
 |sanitizer   |`function`|`null`   |v0.3.4   |A function to sanitize the HTML passed into `markdownString`.|
 |silent      |`boolean` |`false`  |v0.2.7   |If true, the parser does not throw any exception.|
 |smartLists  |`boolean` |`false`  |v0.2.8   |If true, use smarter list behavior than those found in `markdown.pl`.|

From 73ad6589b8892031d2155772a7f4961cc3178d74 Mon Sep 17 00:00:00 2001
From: KT <koczkatamas@gmail.com>
Date: Thu, 27 Jun 2019 01:30:01 +0200
Subject: [PATCH 05/11] make lint happy

---
 lib/marked.js          | 2 +-
 test/specs/run-spec.js | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/marked.js b/lib/marked.js
index 240c7c16e6..3d241e124a 100644
--- a/lib/marked.js
+++ b/lib/marked.js
@@ -1538,7 +1538,7 @@ function findClosingBracket(str, b) {
 
 function checkSanitizeDeprecation(opt) {
   if (opt && opt.sanitize && !opt.silent) {
-    console.warn("marked(): sanitize and sanitizer parameters are deprecated since version 0.6.3 and will be removed from the next major version. Please use an external library, e.g. DOMPurify for your sanitization needs.");
+    console.warn('marked(): sanitize and sanitizer parameters are deprecated since version 0.6.3 and will be removed from the next major version. Please use an external library, e.g. DOMPurify for your sanitization needs.');
   }
 }
 
diff --git a/test/specs/run-spec.js b/test/specs/run-spec.js
index b6d0c17e27..37fe5e1c72 100644
--- a/test/specs/run-spec.js
+++ b/test/specs/run-spec.js
@@ -16,8 +16,9 @@ function runSpecs(title, dir, showCompletionTable, options) {
           spec.options = Object.assign({}, options, (spec.options || {}));
           const example = (spec.example ? ' example ' + spec.example : '');
           const passFail = (spec.shouldFail ? 'fail' : 'pass');
-          if (spec.options.sanitizerRemoveHtml)
+          if (spec.options.sanitizerRemoveHtml) {
             spec.options.sanitizer = () => '';
+          }
           (spec.only ? fit : it)('should ' + passFail + example, () => {
             const before = process.hrtime();
             if (spec.shouldFail) {
@@ -42,4 +43,4 @@ runSpecs('CommonMark', './commonmark', true, { headerIds: false });
 runSpecs('Original', './original', false, { gfm: false });
 runSpecs('New', './new');
 runSpecs('ReDOS', './redos');
-runSpecs('Security', './security', false, { silent: true /* no deprecation warnings */ });
\ No newline at end of file
+runSpecs('Security', './security', false, { silent: true }); // silent - do not show deprecation warning

From 44da69e30d33bc52da807f393228205721d04b6c Mon Sep 17 00:00:00 2001
From: KT <koczkatamas@gmail.com>
Date: Fri, 28 Jun 2019 21:28:15 +0200
Subject: [PATCH 06/11] recommend more variety of sanitize libraries

---
 README.md              | 2 +-
 docs/README.md         | 2 +-
 docs/USING_ADVANCED.md | 2 +-
 lib/marked.js          | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 2dfd5cd1c5..b965b28f2e 100644
--- a/README.md
+++ b/README.md
@@ -39,7 +39,7 @@ Also read about:
 
 ## Usage
 
-### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML by default 🚨
+### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML. Please use a sanitize library, like [DOMPurify](https://github.com/cure53/DOMPurify) (recommended), [sanitize-html](https://github.com/apostrophecms/sanitize-html) or [insane](https://www.npmjs.com/package/insane) on the output HTML! 🚨
 
 **CLI**
 
diff --git a/docs/README.md b/docs/README.md
index 56c21d3862..ff99b16332 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -25,7 +25,7 @@ These documentation pages are also rendered using marked 💯
 
 <h2 id="usage">Usage</h2>
 
-### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML. Please use e.g. [DOMPurify](https://github.com/cure53/DOMPurify) to sanitize the HTML output! 🚨
+### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML. Please use a sanitize library, like [DOMPurify](https://github.com/cure53/DOMPurify) (recommended), [sanitize-html](https://github.com/apostrophecms/sanitize-html) or [insane](https://www.npmjs.com/package/insane) on the output HTML! 🚨
 
 **CLI**
 
diff --git a/docs/USING_ADVANCED.md b/docs/USING_ADVANCED.md
index d6ac4ccd22..04a04a55cb 100644
--- a/docs/USING_ADVANCED.md
+++ b/docs/USING_ADVANCED.md
@@ -51,7 +51,7 @@ console.log(marked(markdownString));
 |mangle      |`boolean` |`true`   |v0.3.4   |If true, autolinked email address is escaped with HTML character references.|
 |pedantic    |`boolean` |`false`  |v0.2.1   |If true, conform to the original `markdown.pl` as much as possible. Don't fix original markdown bugs or behavior. Turns off and overrides `gfm`.|
 |renderer    |`object`  |`new Renderer()`|v0.3.0|An object containing functions to render tokens to HTML. See [extensibility](USING_PRO.md) for more details.|
-|sanitize    |`boolean` |`false`  |v0.2.1   |If true, sanitize the HTML passed into `markdownString` with the `sanitizer` function.<br>**Warning**: This feature is deprecated and it should NOT be used as it cannot be considered as a security boundary. Please use e.g. [DOMPurify](https://github.com/cure53/DOMPurify) instead! |
+|sanitize    |`boolean` |`false`  |v0.2.1   |If true, sanitize the HTML passed into `markdownString` with the `sanitizer` function.<br>**Warning**: This feature is deprecated and it should NOT be used as it cannot be considered secure.<br>Instead use a sanitize library, like [DOMPurify](https://github.com/cure53/DOMPurify) (recommended), [sanitize-html](https://github.com/apostrophecms/sanitize-html) or [insane](https://www.npmjs.com/package/insane) on the output HTML! |
 |sanitizer   |`function`|`null`   |v0.3.4   |A function to sanitize the HTML passed into `markdownString`.|
 |silent      |`boolean` |`false`  |v0.2.7   |If true, the parser does not throw any exception.|
 |smartLists  |`boolean` |`false`  |v0.2.8   |If true, use smarter list behavior than those found in `markdown.pl`.|
diff --git a/lib/marked.js b/lib/marked.js
index 3d241e124a..7aff264309 100644
--- a/lib/marked.js
+++ b/lib/marked.js
@@ -1538,7 +1538,7 @@ function findClosingBracket(str, b) {
 
 function checkSanitizeDeprecation(opt) {
   if (opt && opt.sanitize && !opt.silent) {
-    console.warn('marked(): sanitize and sanitizer parameters are deprecated since version 0.6.3 and will be removed from the next major version. Please use an external library, e.g. DOMPurify for your sanitization needs.');
+    console.warn('marked(): sanitize and sanitizer parameters are deprecated since version 0.6.3, should not be used and will be removed in the next major version. Read more here: https://marked.js.org/#/USING_ADVANCED.md#options');
   }
 }
 

From 0e8d8f47680d7b2833a3a6c84b5751d0da9197fe Mon Sep 17 00:00:00 2001
From: KT <koczkatamas@gmail.com>
Date: Fri, 28 Jun 2019 21:31:03 +0200
Subject: [PATCH 07/11] use the more generic `sanitizer` option instead of
 `sanitizerRemoveHtml` in tests

---
 test/specs/run-spec.js                                 | 5 +++--
 test/specs/security/sanitizer_bypass_remove_generic.md | 2 +-
 test/specs/security/sanitizer_bypass_remove_script.md  | 2 +-
 test/specs/security/sanitizer_bypass_remove_tag.md     | 2 +-
 4 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/test/specs/run-spec.js b/test/specs/run-spec.js
index 37fe5e1c72..b962a1f7cc 100644
--- a/test/specs/run-spec.js
+++ b/test/specs/run-spec.js
@@ -16,8 +16,9 @@ function runSpecs(title, dir, showCompletionTable, options) {
           spec.options = Object.assign({}, options, (spec.options || {}));
           const example = (spec.example ? ' example ' + spec.example : '');
           const passFail = (spec.shouldFail ? 'fail' : 'pass');
-          if (spec.options.sanitizerRemoveHtml) {
-            spec.options.sanitizer = () => '';
+          if (spec.options.sanitizer) {
+            // eslint-disable-next-line no-eval
+            spec.options.sanitizer = eval(spec.options.sanitizer);
           }
           (spec.only ? fit : it)('should ' + passFail + example, () => {
             const before = process.hrtime();
diff --git a/test/specs/security/sanitizer_bypass_remove_generic.md b/test/specs/security/sanitizer_bypass_remove_generic.md
index 41aca6277c..4718f8438d 100644
--- a/test/specs/security/sanitizer_bypass_remove_generic.md
+++ b/test/specs/security/sanitizer_bypass_remove_generic.md
@@ -1,6 +1,6 @@
 ---
 sanitize: true
-sanitizerRemoveHtml: true
+sanitizer: () => ''
 ---
 <a>a2<a2t>a2</a> b <c>c</c> d
 # ![text](URL)
\ No newline at end of file
diff --git a/test/specs/security/sanitizer_bypass_remove_script.md b/test/specs/security/sanitizer_bypass_remove_script.md
index 9334070021..3c3b940545 100644
--- a/test/specs/security/sanitizer_bypass_remove_script.md
+++ b/test/specs/security/sanitizer_bypass_remove_script.md
@@ -1,5 +1,5 @@
 ---
 sanitize: true
-sanitizerRemoveHtml: true
+sanitizer: () => ''
 ---
 AAA<script> <img <script> src=x onerror=alert(1) />BBB
diff --git a/test/specs/security/sanitizer_bypass_remove_tag.md b/test/specs/security/sanitizer_bypass_remove_tag.md
index fd387b1248..30388d68b6 100644
--- a/test/specs/security/sanitizer_bypass_remove_tag.md
+++ b/test/specs/security/sanitizer_bypass_remove_tag.md
@@ -1,5 +1,5 @@
 ---
 sanitize: true
-sanitizerRemoveHtml: true
+sanitizer: () => ''
 ---
 AAA<sometag> <img <sometag> src=x onerror=alert(1)BBB

From 63fd313a552e68136335bacebddeda3d7274d5b1 Mon Sep 17 00:00:00 2001
From: KT <koczkatamas@gmail.com>
Date: Sat, 29 Jun 2019 01:43:18 +0200
Subject: [PATCH 08/11] fix insane's URL

---
 README.md              | 2 +-
 docs/README.md         | 2 +-
 docs/USING_ADVANCED.md | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index b965b28f2e..e93504ca93 100644
--- a/README.md
+++ b/README.md
@@ -39,7 +39,7 @@ Also read about:
 
 ## Usage
 
-### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML. Please use a sanitize library, like [DOMPurify](https://github.com/cure53/DOMPurify) (recommended), [sanitize-html](https://github.com/apostrophecms/sanitize-html) or [insane](https://www.npmjs.com/package/insane) on the output HTML! 🚨
+### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML. Please use a sanitize library, like [DOMPurify](https://github.com/cure53/DOMPurify) (recommended), [sanitize-html](https://github.com/apostrophecms/sanitize-html) or [insane](https://github.com/bevacqua/insane) on the output HTML! 🚨
 
 **CLI**
 
diff --git a/docs/README.md b/docs/README.md
index ff99b16332..f5ba9d2b71 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -25,7 +25,7 @@ These documentation pages are also rendered using marked 💯
 
 <h2 id="usage">Usage</h2>
 
-### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML. Please use a sanitize library, like [DOMPurify](https://github.com/cure53/DOMPurify) (recommended), [sanitize-html](https://github.com/apostrophecms/sanitize-html) or [insane](https://www.npmjs.com/package/insane) on the output HTML! 🚨
+### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML. Please use a sanitize library, like [DOMPurify](https://github.com/cure53/DOMPurify) (recommended), [sanitize-html](https://github.com/apostrophecms/sanitize-html) or [insane](https://github.com/bevacqua/insane) on the output HTML! 🚨
 
 **CLI**
 
diff --git a/docs/USING_ADVANCED.md b/docs/USING_ADVANCED.md
index 04a04a55cb..4d329cc1ff 100644
--- a/docs/USING_ADVANCED.md
+++ b/docs/USING_ADVANCED.md
@@ -51,7 +51,7 @@ console.log(marked(markdownString));
 |mangle      |`boolean` |`true`   |v0.3.4   |If true, autolinked email address is escaped with HTML character references.|
 |pedantic    |`boolean` |`false`  |v0.2.1   |If true, conform to the original `markdown.pl` as much as possible. Don't fix original markdown bugs or behavior. Turns off and overrides `gfm`.|
 |renderer    |`object`  |`new Renderer()`|v0.3.0|An object containing functions to render tokens to HTML. See [extensibility](USING_PRO.md) for more details.|
-|sanitize    |`boolean` |`false`  |v0.2.1   |If true, sanitize the HTML passed into `markdownString` with the `sanitizer` function.<br>**Warning**: This feature is deprecated and it should NOT be used as it cannot be considered secure.<br>Instead use a sanitize library, like [DOMPurify](https://github.com/cure53/DOMPurify) (recommended), [sanitize-html](https://github.com/apostrophecms/sanitize-html) or [insane](https://www.npmjs.com/package/insane) on the output HTML! |
+|sanitize    |`boolean` |`false`  |v0.2.1   |If true, sanitize the HTML passed into `markdownString` with the `sanitizer` function.<br>**Warning**: This feature is deprecated and it should NOT be used as it cannot be considered secure.<br>Instead use a sanitize library, like [DOMPurify](https://github.com/cure53/DOMPurify) (recommended), [sanitize-html](https://github.com/apostrophecms/sanitize-html) or [insane](https://github.com/bevacqua/insane) on the output HTML! |
 |sanitizer   |`function`|`null`   |v0.3.4   |A function to sanitize the HTML passed into `markdownString`.|
 |silent      |`boolean` |`false`  |v0.2.7   |If true, the parser does not throw any exception.|
 |smartLists  |`boolean` |`false`  |v0.2.8   |If true, use smarter list behavior than those found in `markdown.pl`.|

From b78e498f07999ceeb04952f6d7f0edbbd2a95f2a Mon Sep 17 00:00:00 2001
From: Tony Brix <tony@brix.ninja>
Date: Tue, 2 Jul 2019 08:33:05 -0500
Subject: [PATCH 09/11] update deprecation warning

---
 lib/marked.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/marked.js b/lib/marked.js
index 7aff264309..dac7f65ae6 100644
--- a/lib/marked.js
+++ b/lib/marked.js
@@ -1538,7 +1538,7 @@ function findClosingBracket(str, b) {
 
 function checkSanitizeDeprecation(opt) {
   if (opt && opt.sanitize && !opt.silent) {
-    console.warn('marked(): sanitize and sanitizer parameters are deprecated since version 0.6.3, should not be used and will be removed in the next major version. Read more here: https://marked.js.org/#/USING_ADVANCED.md#options');
+    console.warn('marked(): sanitize and sanitizer parameters are deprecated since version 0.7.0, should not be used and will be removed in the future. Read more here: https://marked.js.org/#/USING_ADVANCED.md#options');
   }
 }
 

From 2b63f3b0d3ab0db72c499301664f61e229121670 Mon Sep 17 00:00:00 2001
From: Tony Brix <tony@brix.ninja>
Date: Tue, 2 Jul 2019 08:40:16 -0500
Subject: [PATCH 10/11] add test

---
 test/specs/new/links_paren.html | 5 +++++
 test/specs/new/links_paren.md   | 5 +++++
 2 files changed, 10 insertions(+)
 create mode 100644 test/specs/new/links_paren.html
 create mode 100644 test/specs/new/links_paren.md

diff --git a/test/specs/new/links_paren.html b/test/specs/new/links_paren.html
new file mode 100644
index 0000000000..375c0f0cf1
--- /dev/null
+++ b/test/specs/new/links_paren.html
@@ -0,0 +1,5 @@
+<p>(<a href="http://example.com/1">one</a>) (<a href="http://example.com/2">two</a>)</p>
+
+<p>(<a href="http://example.com/1">one</a>) (<a href="http://example.com/2">two</a>)</p>
+
+<p>(<a href="http://example.com/1" title="a">one</a>) (<a href="http://example.com/2" title="b">two</a>)</p>
diff --git a/test/specs/new/links_paren.md b/test/specs/new/links_paren.md
new file mode 100644
index 0000000000..96f106ce03
--- /dev/null
+++ b/test/specs/new/links_paren.md
@@ -0,0 +1,5 @@
+([one](http://example.com/1)) ([two](http://example.com/2))
+
+([one](http://example.com/1))  ([two](http://example.com/2))
+
+([one](http://example.com/1 "a")) ([two](http://example.com/2 "b"))

From 59ec6fba0c5fe5b69d8f3c953a56aa9934075d0a Mon Sep 17 00:00:00 2001
From: Tony Brix <tony@brix.ninja>
Date: Tue, 2 Jul 2019 08:40:28 -0500
Subject: [PATCH 11/11] fix calculation

---
 lib/marked.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/marked.js b/lib/marked.js
index d07c39618f..52c178bc30 100644
--- a/lib/marked.js
+++ b/lib/marked.js
@@ -728,7 +728,7 @@ InlineLexer.prototype.output = function(src) {
     if (cap = this.rules.link.exec(src)) {
       var lastParenIndex = findClosingBracket(cap[2], '()');
       if (lastParenIndex > -1) {
-        var linkLen = cap[0].length - (cap[2].length - lastParenIndex) - (cap[3] || '').length;
+        var linkLen = 4 + cap[1].length + lastParenIndex;
         cap[2] = cap[2].substring(0, lastParenIndex);
         cap[0] = cap[0].substring(0, linkLen).trim();
         cap[3] = '';