From 421edd35454103e3ed927de72d23a38bee1f97d3 Mon Sep 17 00:00:00 2001
From: Robert Speicher <rspeicher@gmail.com>
Date: Mon, 27 Apr 2015 22:09:00 -0400
Subject: [PATCH] Escape normal text in our Redcarpet renderer

---
 lib/redcarpet/render/gitlab_html.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/redcarpet/render/gitlab_html.rb b/lib/redcarpet/render/gitlab_html.rb
index 321be9202cc..5a87b230579 100644
--- a/lib/redcarpet/render/gitlab_html.rb
+++ b/lib/redcarpet/render/gitlab_html.rb
@@ -1,5 +1,6 @@
-class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML
+require 'active_support/core_ext/string/output_safety'
 
+class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML
   attr_reader :template
   alias_method :h, :template
 
@@ -21,6 +22,7 @@ class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML
   def normal_text(text)
     return text unless text.present?
 
+    text = ERB::Util.html_escape_once(text)
     text.gsub("'", "&rsquo;")
   end
 
-- 
GitLab