Even with these flags active, injections and XSS are still easily possible.
Providing full attribute checking, HTML validation, ... is out of the
scope of Hoedown, therefore this "security" features only create
a false sense of security rather than actually providing it.
It's redundant. A zero `nesting_level` already means "disable TOC"
and a nonzero `nesting_level` enables it.
Having a TOC flag only complicates the code unnecessarily.
