Allow insecure markup (for private wikis amongst friends)

main.go

@@ -38,7 +38,20 @@ func main() {
 		} else {
 			fmt.Printf("\nRunning cowyo server (version %s) at http://%s:%s\n\n", version, host, c.GlobalString("port"))
 		}
-		serve(c.GlobalString("host"), c.GlobalString("port"), c.GlobalString("cert"), c.GlobalString("key"), TLS, c.GlobalString("css"), c.GlobalString("default-page"), c.GlobalString("lock"), c.GlobalInt("debounce"), c.GlobalBool("diary"))
+
+		allowInsecureHtml = c.GlobalBool("allow-insecure-markup")
+		serve(
+			c.GlobalString("host"),
+			c.GlobalString("port"),
+			c.GlobalString("cert"),
+			c.GlobalString("key"),
+			TLS,
+			c.GlobalString("css"),
+			c.GlobalString("default-page"),
+			c.GlobalString("lock"),
+			c.GlobalInt("debounce"),
+			c.GlobalBool("diary"),
+		)
 		return nil
 	}
 	app.Flags = []cli.Flag{
@@ -82,6 +95,10 @@ func main() {
 			Value: "",
 			Usage: "show default-page/read instead of editing (default: show random editing)",
 		},
+		cli.BoolFlag{
+			Name:  "allow-insecure-markup",
+			Usage: "Skip HTML sanitization",
+		},
 		cli.StringFlag{
 			Name:  "lock",
 			Value: "",

utils.go

@@ -20,6 +20,7 @@ import (
 var animals []string
 var adjectives []string
 var aboutPageText string
+var allowInsecureHtml bool
 
 var log *lumber.ConsoleLogger
 
@@ -174,6 +175,11 @@ func exists(path string) bool {
 
 func MarkdownToHtml(s string) string {
 	unsafe := blackfriday.MarkdownCommon([]byte(s))
+
+	if allowInsecureHtml {
+		return string(unsafe)
+	}
+
 	pClean := bluemonday.UGCPolicy()
 	pClean.AllowElements("img")
 	pClean.AllowAttrs("alt").OnElements("img")