diff --git a/lib/index.js b/lib/index.js
index 083f65b..75d3702 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -13,10 +13,21 @@ var handlers = require('./handlers')
var own = {}.hasOwnProperty
+var deprecationWarningIssued = false
+
// Factory to transform.
function factory(tree, options) {
var settings = options || {}
- var dangerous = settings.allowDangerousHTML
+
+ // Issue a warning if the deprecated tag 'allowDangerousHTML' is used
+ if (settings.allowDangerousHTML !== undefined && !deprecationWarningIssued) {
+ deprecationWarningIssued = true
+ console.warn(
+ 'mdast-util-to-hast: deprecation: `allowDangerousHTML` is nonstandard, use `allowDangerousHtml` instead'
+ )
+ }
+
+ var dangerous = settings.allowDangerousHtml || settings.allowDangerousHTML
var footnoteById = {}
h.dangerous = dangerous
diff --git a/readme.md b/readme.md
index 6ccd7c5..2b50bfc 100644
--- a/readme.md
+++ b/readme.md
@@ -63,7 +63,7 @@ Transform the given [mdast][] [tree][] to a [hast][] [tree][].
##### Options
-###### `options.allowDangerousHTML`
+###### `options.allowDangerousHtml`
Whether to allow [`html`][mdast-html] nodes and inject them as raw HTML
(`boolean`, default: `false`).
@@ -100,7 +100,7 @@ Default behavior:
* [`yaml`][mdast-yaml] and `toml` nodes are ignored (created by
[`remark-frontmatter`][remark-frontmatter])
-* [`html`][mdast-html] nodes are ignored if `allowDangerousHTML` is `false`
+* [`html`][mdast-html] nodes are ignored if `allowDangerousHtml` is `false`
* [`position`][position]s are properly patched
* [`node.data.hName`][hname] configures the hast element’s tag-name
* [`node.data.hProperties`][hproperties] is mixed into the hast element’s
@@ -217,7 +217,7 @@ Yields, in [hast][] (**note**: the `pre` and `language-js` class are normal
Use of `mdast-util-to-hast` can open you up to a
[cross-site scripting (XSS)][xss] attack.
Embedded hast properties (`hName`, `hProperties`, `hChildren`), custom handlers,
-and the `allowDangerousHTML` option all provide openings.
+and the `allowDangerousHtml` option all provide openings.
The following example shows how a script is injected where a benign code block
is expected with embedded hast properties:
@@ -263,7 +263,7 @@ Yields:
Hello
```
-Passing `allowDangerousHTML: true` to `mdast-util-to-hast` is typically still
+Passing `allowDangerousHtml: true` to `mdast-util-to-hast` is typically still
not enough to run unsafe code:
```html
@@ -271,7 +271,7 @@ not enough to run unsafe code:
<script>alert(3)</script>
```
-If `allowDangerousHTML: true` is also given to `hast-util-to-html` (or
+If `allowDangerousHtml: true` is also given to `hast-util-to-html` (or
`rehype-stringify`), the unsafe code runs:
```html
diff --git a/test/html.js b/test/html.js
index 6303e21..fb17c1b 100644
--- a/test/html.js
+++ b/test/html.js
@@ -7,10 +7,16 @@ var to = require('..')
test('HTML', function(t) {
t.equal(to(u('html', '')), null, 'should ignore `html`')
+ t.deepEqual(
+ to(u('html', ''), {allowDangerousHtml: true}),
+ u('raw', ''),
+ 'should transform `html` to `raw` if `allowDangerousHtml` is given'
+ )
+
t.deepEqual(
to(u('html', ''), {allowDangerousHTML: true}),
u('raw', ''),
- 'should transform `html` to `raw` if `allowDangerousHTML` is given'
+ 'should still transform `html` to `raw` if deprecated `allowDangerousHTML` is given'
)
t.end()
diff --git a/test/table.js b/test/table.js
index f5d3bc5..7736a1b 100644
--- a/test/table.js
+++ b/test/table.js
@@ -18,7 +18,7 @@ test('Table', function(t) {
]),
u('tableRow', [u('tableCell', [u('text', 'alpha')])])
]),
- {allowDangerousHTML: true}
+ {allowDangerousHtml: true}
),
u('element', {tagName: 'table', properties: {}}, [
u('text', '\n'),