From a7afc0634240f5cddb6c6e1bf1f9fcf4374b852e Mon Sep 17 00:00:00 2001
From: Vinnie Okada <vokada@mrvinn.com>
Date: Sun, 22 Mar 2015 09:02:32 -0600
Subject: [PATCH] Fix SanitizationFilter bugs

Return a `SafeBuffer` instead of a `String` from the `#gfm_with_options`
method so that Rails doesn't escape our markup.

Also add `<span>` to the sanitization whitelist to avoid breaking syntax
highlighting in code blocks.
---
 lib/gitlab/markdown.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/gitlab/markdown.rb b/lib/gitlab/markdown.rb
index 65dce9291e6..11da4be4022 100644
--- a/lib/gitlab/markdown.rb
+++ b/lib/gitlab/markdown.rb
@@ -89,6 +89,7 @@ module Gitlab
 
       whitelist = HTML::Pipeline::SanitizationFilter::WHITELIST
       whitelist[:attributes][:all].push('class', 'id')
+      whitelist[:elements].push('span')
 
       # Remove the rel attribute that the sanitize gem adds, and remove the
       # href attribute if it contains inline javascript
@@ -123,7 +124,7 @@ module Gitlab
         text = parse_tasks(text)
       end
 
-      text
+      text.html_safe
     end
 
     private
-- 
GitLab