fix malicious HTML injection

This bugfix release now sanitizes HTML tags based on a whitelist (also prevents auto-link to "unsafe" web protocols and images) as intended.

Fortunately because of Sundown's typography support, it did not affect JS injection, but custom style tags and iframes.

PS: thanks to the anonymous submitter of a comment including a style tag for 24pt, red font ;-)