Also note, even you set unsafe=false,
since Markdown Attributes feature released, event handler can be attached to code fence via on<event> in markdown attributes, and there is no config to disable this.
# do not directly copy below code, it contains zero-width space before the triple backticks (to avoid discourse render it)
```html {onclick="alert('xss')" onmouseenter="alert('xss-onmouseenter')"}
<h1>Hello World</h1>
```