Adds boolean to Markdown for HTML escaping (#395)

* Updates react-markdown to most recent version

* Adds boolean to Markdown for HTML escaping

This allows the developer to render raw HTML inside Markdown if desired.

* Updates prop name and docstring

Now 100% more dangerous

* Removes react-markdown upgrade

* Adds default for escapeHtml

* Changes property name and inverts boolean for react-markdown

* Now 100% more Prettier

Author: edwardreed81

src/components/Markdown.react.js

@@ -13,7 +13,13 @@ function DashMarkdown(props) {
         props.children = props.children.join('\n');
     }
 
-    return <Markdown source={props.children} escapeHtml={true} {...props} />;
+    return (
+        <Markdown
+            source={props.children}
+            escapeHtml={!props.dangerously_allow_html}
+            {...props}
+        />
+    );
 }
 
 DashMarkdown.propTypes = {
@@ -29,6 +35,14 @@ DashMarkdown.propTypes = {
      */
     containerProps: PropTypes.object,
 
+    /**
+     * A boolean to control raw HTML escaping.
+     * Setting HTML from code is risky because it's easy to
+     * inadvertently expose your users to a cross-site scripting (XSS)
+     * (https://en.wikipedia.org/wiki/Cross-site_scripting) attack.
+     */
+    dangerously_allow_html: PropTypes.bool,
+
     /**
      * A markdown string (or array of strings) that adhreres to the CommonMark spec
      */
@@ -38,4 +52,8 @@ DashMarkdown.propTypes = {
     ]),
 };
 
+DashMarkdown.defaultProps = {
+    dangerously_allow_html: false,
+};
+
 export default DashMarkdown;