Coverage remained the same at 83.721% when pulling ce94875 on weyusi:marked into e6752e5 on hexojs:master.

Upstream recommends third-party packages (e.g. DOMPurify, sanitize-html or insane) to sanitize html.

I don't see the need of it in the context of server-side rendering, but can be considered if there are interests.

I believe you should keep the sanitize option as it applies to the plugin option, not marked.
I don't see why you removed it?

I think it applies to both plugin and marked. I'll do some more testing.

I can confirm sanitize also applies to marked,

I restored plugin's sanitize, but renamed it to sanitizeUrl to avoid confusion.

I'm still not sure what these lines do (which I restored in the last commit),

I tried [test-link](http://exAmple.com/%D1%88%D0%B5%D0%BB%D0%BB%D1%8B), but it didn't convert to lowercase nor the rest decoded.

Above line added by @NoahDragon #34

Edit: I got it working through

    href = decodeURIComponent(href)
          .replace(/[^\w:\/\.]/g, '')
          .toLowerCase() || '';

not sure if it's what the original code intended.

LGTM. It should trigger a minor version update when we publish a new version (due to change of behavior)

It should be a major version due to #98.

Agreed. I merge

New version 2.0.0-RC1 published
https://www.npmjs.com/package/hexo-renderer-marked/v/2.0.0-rc1

Here is my test tomap/hexo-theme-minidyne-demo#2
and the result https://5d43cc4992e9e10008aa5fd0--hexo-theme-minidyne-demo.netlify.com/2016/11/12/weixin-app/
compared to the original https://hexo-theme-minidyne-demo.netlify.com/2016/11/12/weixin-app/