recommend more variety of sanitize libraries

Author: koczkatamas

README.md

@@ -39,7 +39,7 @@ Also read about:
 
 ## Usage
 
-### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML by default 🚨
+### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML. Please use a sanitize library, like [DOMPurify](https://github.com/cure53/DOMPurify) (recommended), [sanitize-html](https://github.com/apostrophecms/sanitize-html) or [insane](https://www.npmjs.com/package/insane) on the output HTML! 🚨
 
 **CLI**
 

docs/README.md

@@ -25,7 +25,7 @@ These documentation pages are also rendered using marked 💯
 
 <h2 id="usage">Usage</h2>
 
-### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML. Please use e.g. [DOMPurify](https://github.com/cure53/DOMPurify) to sanitize the HTML output! 🚨
+### Warning: 🚨 Marked does not [sanitize](https://marked.js.org/#/USING_ADVANCED.md#options) the output HTML. Please use a sanitize library, like [DOMPurify](https://github.com/cure53/DOMPurify) (recommended), [sanitize-html](https://github.com/apostrophecms/sanitize-html) or [insane](https://www.npmjs.com/package/insane) on the output HTML! 🚨
 
 **CLI**
 

docs/USING_ADVANCED.md

@@ -51,7 +51,7 @@ console.log(marked(markdownString));
 |mangle      |`boolean` |`true`   |v0.3.4   |If true, autolinked email address is escaped with HTML character references.|
 |pedantic    |`boolean` |`false`  |v0.2.1   |If true, conform to the original `markdown.pl` as much as possible. Don't fix original markdown bugs or behavior. Turns off and overrides `gfm`.|
 |renderer    |`object`  |`new Renderer()`|v0.3.0|An object containing functions to render tokens to HTML. See [extensibility](USING_PRO.md) for more details.|
-|sanitize    |`boolean` |`false`  |v0.2.1   |If true, sanitize the HTML passed into `markdownString` with the `sanitizer` function.<br>**Warning**: This feature is deprecated and it should NOT be used as it cannot be considered as a security boundary. Please use e.g. [DOMPurify](https://github.com/cure53/DOMPurify) instead! |
+|sanitize    |`boolean` |`false`  |v0.2.1   |If true, sanitize the HTML passed into `markdownString` with the `sanitizer` function.<br>**Warning**: This feature is deprecated and it should NOT be used as it cannot be considered secure.<br>Instead use a sanitize library, like [DOMPurify](https://github.com/cure53/DOMPurify) (recommended), [sanitize-html](https://github.com/apostrophecms/sanitize-html) or [insane](https://www.npmjs.com/package/insane) on the output HTML! |
 |sanitizer   |`function`|`null`   |v0.3.4   |A function to sanitize the HTML passed into `markdownString`.|
 |silent      |`boolean` |`false`  |v0.2.7   |If true, the parser does not throw any exception.|
 |smartLists  |`boolean` |`false`  |v0.2.8   |If true, use smarter list behavior than those found in `markdown.pl`.|

lib/marked.js

@@ -1538,7 +1538,7 @@ function findClosingBracket(str, b) {
 
 function checkSanitizeDeprecation(opt) {
   if (opt && opt.sanitize && !opt.silent) {
-    console.warn('marked(): sanitize and sanitizer parameters are deprecated since version 0.6.3 and will be removed from the next major version. Please use an external library, e.g. DOMPurify for your sanitization needs.');
+    console.warn('marked(): sanitize and sanitizer parameters are deprecated since version 0.6.3, should not be used and will be removed in the next major version. Read more here: https://marked.js.org/#/USING_ADVANCED.md#options');
   }
 }