diff --git a/app/helpers/gitlab_markdown_helper.rb b/app/helpers/gitlab_markdown_helper.rb
index 0365681a128339cba07a0116f7e836dd5b0f612a..3a0e8bcda4efb08ac02639d34e087287fea7e8e9 100644
--- a/app/helpers/gitlab_markdown_helper.rb
+++ b/app/helpers/gitlab_markdown_helper.rb
@@ -33,7 +33,6 @@ module GitlabMarkdownHelper
       @options = options
       gitlab_renderer = Redcarpet::Render::GitlabHTML.new(self, {
                             # see https://github.com/vmg/redcarpet#darling-i-packed-you-a-couple-renderers-for-lunch-
-                            filter_html: true,
                             with_toc_data: true,
                             safe_links_only: true
                           }.merge(options))
@@ -48,7 +47,7 @@ module GitlabMarkdownHelper
                       space_after_headers: true,
                       superscript: true)
     end
-    @markdown.render(text).html_safe
+    @markdown.render(sanitize_html(text)).html_safe
   end
 
   def first_line_in_markdown(text)
diff --git a/lib/gitlab/markdown.rb b/lib/gitlab/markdown.rb
index 17512a51658985aec363a3a19606c1cb41df42b4..464b88d07ea48dbc0a706b6e7909f68e03e52551 100644
--- a/lib/gitlab/markdown.rb
+++ b/lib/gitlab/markdown.rb
@@ -80,6 +80,11 @@ module Gitlab
                                                              markdown_context)
       text = result[:output].to_html(save_with: 0)
 
+      sanitize_html(text)
+    end
+
+    # Remove HTML tags and attributes that are not whitelisted
+    def sanitize_html(text)
       allowed_attributes = ActionView::Base.sanitized_allowed_attributes
       allowed_tags = ActionView::Base.sanitized_allowed_tags
 
diff --git a/spec/helpers/gitlab_markdown_helper_spec.rb b/spec/helpers/gitlab_markdown_helper_spec.rb
index 15033f07432ac6f1d475fe0e2340ba67d29cf727..c75773ad3219b6bb89d1877da6cdb8e274eb8313 100644
--- a/spec/helpers/gitlab_markdown_helper_spec.rb
+++ b/spec/helpers/gitlab_markdown_helper_spec.rb
@@ -614,6 +614,36 @@ describe GitlabMarkdownHelper do
       expected = ""
       markdown(actual).should match(expected)
     end
+
+    it 'should allow whitelisted HTML tags from the user' do
+      actual = '<dl><dt>Term</dt><dd>Definition</dd></dl>'
+      expect(markdown(actual)).to match(actual)
+    end
+
+    it 'should sanitize tags that are not whitelisted' do
+      actual = '<textarea>no inputs allowed</textarea> <blink>no blinks</blink>'
+      expected = 'no inputs allowed no blinks'
+      expect(markdown(actual)).to match(expected)
+      expect(markdown(actual)).not_to match('<.textarea>')
+      expect(markdown(actual)).not_to match('<.blink>')
+    end
+
+    it 'should allow whitelisted tag attributes from the user' do
+      actual = '<a class="custom">link text</a>'
+      expect(markdown(actual)).to match(actual)
+    end
+
+    it 'should sanitize tag attributes that are not whitelisted' do
+      actual = '<a href="http://example.com/bar.html" foo="bar">link text</a>'
+      expected = '<a href="http://example.com/bar.html">link text</a>'
+      expect(markdown(actual)).to match(expected)
+    end
+
+    it 'should sanitize javascript in attributes' do
+      actual = %q(<a href="javascript:alert('foo')">link text</a>)
+      expected = '<a>link text</a>'
+      expect(markdown(actual)).to match(expected)
+    end
   end
 
   describe 'markdown for empty repository' do