Switch to markdown-it

[tomap]

and update other plugins

Following security issue on hexo-renderer-marked: hexojs/hexo-renderer-marked#210

[tomap]

Ready to be merged :)

[yoshinorin]

I think maybe no problem if we switch the default markdown parser from marked to markdown-it.
But, I want to know other maintainers' opinions. They may come up with some problems or issues.

[tomap]

Understood. The main reason is that marked has some security issues that markdown-it does not have.

There is no sanitizer in marked. You have to add it on top. But by default, markdown-it is safe

[SukkaW]

I think maybe no problem if we switch the default markdown parser from marked to markdown-it. But, I want to know other maintainers' opinions. They may come up with some problems or issues.

Personally, I prefer hexo-renderer-marked. The benchmark between hexo-renderer-markdown-it and hexo-renderer-marked is probably outdated (At least in my case, it is faster than hexo-renderer-markdown-it).

Also, we need to compare the differences between the output from hexo-renderer-marked and the output from hexo-renderer-markdown-it, to see if it is potentially a breaking change that breaks new users (especially with existing themes). And if there is any, we should defer it to Hexo 7.0.0.

That's to say, I am not against hexo-renderer-markdown-it, but more tests and preparations need to be done.

[tomap]

There is one. https://github.com/hexojs/hexo-renderer-marked#options

Autolink in marked will convert full url while the same feature in markdown-it will also convert urls
without scheme