Enable support for HTML code snippets by default about marp-core HOT 2 CLOSED

Due to our stance on security, we have no plans to work for that.

Marp Core is designed as an open-ended library used by a wide range of developers. Thus, its default settings should offer maximum protection from security threats arising from Markdown content, such as <script> tags and on**** event attributes on any tags. This aligns with the philosophy of the markdown-it parser, which Marp and Marpit depend on.

Many people don't understand that markdown format does not care much about security.
...

1. Don't enable HTML. Extend markup features with plugins. We think it's the best choice and use it by default.
   • That's ok for 99% of user needs.
   • Output will be safe without sanitizer.

— https://github.com/markdown-it/markdown-it/blob/master/docs/security.md

However, it is a fact that enabling HTML tags has become a common practice across various Marp tools due to its convenience, despite the vulnerabilities to malicious Markdown + HTML.

We have already seen this as a problem. Marp Core has a long pinned issue #301, to collect a list of commonly used HTML tags and attributes from the Marp community.

• #301

We want to find out a default HTML safelist, that is suitable and secure for every Marp user. So we also want more feedbacks from much more users for #301. If the default HTML safelist was provided, most users would not need to enable HTML tags explicitly.

from marp-core.

FYI: If possible, tell us which HTML tags are you using in Marp slide to move things toward this issue.
marp-team/marp#501

from marp-core.