Adds UNSAFE option to CommonMarker usage where needed

With the [release of commonmarker
0.18.0](https://github.com/gjtorikian/commonmarker/releases/tag/v0.18.0),
HTML safety was introduced as a default (to avoid XSS).  But if someone
_wants_ to allow unsafe elements in their markdown, they should be able
to pass that option down to CommonMarker through html-pipeline.

Author: diachini

lib/html/pipeline/markdown_filter.rb

@@ -23,6 +23,7 @@ def initialize(text, context = nil, result = nil)
       def call
         options = [:GITHUB_PRE_LANG]
         options << :HARDBREAKS if context[:gfm] != false
+        options << :UNSAFE if context[:unsafe]
         extensions = context.fetch(
           :commonmarker_extensions,
           %i[table strikethrough tagfilter autolink]

test/html/pipeline/markdown_filter_test.rb

@@ -52,20 +52,20 @@ def test_fenced_code_blocks_with_language
   def test_standard_extensions
     iframe = "<iframe src='http://www.google.com'></iframe>"
     iframe_escaped = "&lt;iframe src='http://www.google.com'>&lt;/iframe>"
-    doc = MarkdownFilter.new(iframe).call
+    doc = MarkdownFilter.new(iframe, unsafe: true).call
     assert_equal(doc, iframe_escaped)
   end
 
   def test_changing_extensions
     iframe = "<iframe src='http://www.google.com'></iframe>"
-    doc = MarkdownFilter.new(iframe, commonmarker_extensions: []).call
+    doc = MarkdownFilter.new(iframe, commonmarker_extensions: [], unsafe: true).call
     assert_equal(doc, iframe)
   end
 end
 
 class GFMTest < Minitest::Test
   def gfm(text)
-    MarkdownFilter.call(text, gfm: true)
+    MarkdownFilter.call(text, gfm: true, unsafe: true)
   end
 
   def test_not_touch_single_underscores_inside_words