Document additional HTML filtering steps for GitHub.com

[waldyrious]

Contrary to what the spec says, there are additional HTML tags that aren't rendered on GitHub.com.

For example, <i><small>test</small></i> produces the HTML <i>test</i>, like this: test.

It would be helpful if the README had a context section documenting where cmark-gfm is used in GitHub.com (e.g. in rendering comments but not .md files, which, according to https://github.com/github/markup#markups, are rendered with commonmarker) and what other steps are performed around it that make the GitHub.com output differ from the plain cmark-gfm output. This was hinted at e.g. in https://github.com/github/cmark-gfm/pull/123#issuecomment-430798387, but it would be nice to make the explicit disclaimer in the README.

Something like this section in github/markup's README would be ideal. For the issue of allowed HTML tags in particular, step 2 in that list would be particularly relevant:

The HTML is sanitized, aggressively removing things that could harm you and your kin—such as script tags, inline-styles, and class or id attributes.

As an alternative to a new section, perhaps the existing Security section of the README could be expanded to include this information.