This commit changes markdown sanitization behaviour in following way:
class, style and data-* attributes are removed by default. These attributes
open possible vulnerability vectors to attackers.
The original behavior of sanitizer (before this commit) can be enabled by *useUnsafeMarkdown* configuration option.
Use this configuration option with caution and only in cases when you know
what you're doing.
* Add the withCredentials configuration key
It enables passing credentials in CORS requests. e.g. Cookies and
Authorization headers.
* Improve withCredentials documentation
* Add unit tests for the withCredentials config
* Update configuration.md
* Update configuration.md
* only set `withCredentials` Fetch flag if the config value is truthy
there are some workarounds in the wild today that involve setting `withCredentials` on `system.fn.fetch` directly.
this approach avoids mangling those existing workarounds!
* add more test cases
* Update configs-wrap-actions.js
* Update index.js
