Disable RedCarpet's `escape_html` option

This option defaults to true in RedCarpet 3.2.0, but we handle
sanitization later in the process with html-pipeline.

Closes #2211

1 files changed, 21 insertions, 17 deletions

diff --git a/app/helpers/gitlab_markdown_helper.rb b/app/helpers/gitlab_markdown_helper.rb
index 7ca3f058636..17266656a4e 100644
--- a/app/helpers/gitlab_markdown_helper.rb
+++ b/app/helpers/gitlab_markdown_helper.rb
@@ -31,24 +31,28 @@ module GitlabMarkdownHelper
   def markdown(text, options={})
     unless @markdown && options == @options
       @options = options
-      gitlab_renderer = Redcarpet::Render::GitlabHTML.new(self,
-                                                          user_color_scheme_class,
-                                                          {
-                            # see https://github.com/vmg/redcarpet#darling-i-packed-you-a-couple-renderers-for-lunch-
-                            with_toc_data: true,
-                            safe_links_only: true
-                          }.merge(options))
-      @markdown = Redcarpet::Markdown.new(gitlab_renderer,
-                      # see https://github.com/vmg/redcarpet#and-its-like-really-simple-to-use
-                      no_intra_emphasis: true,
-                      tables: true,
-                      fenced_code_blocks: true,
-                      autolink: true,
-                      strikethrough: true,
-                      lax_spacing: true,
-                      space_after_headers: true,
-                      superscript: true)
+
+      # see https://github.com/vmg/redcarpet#darling-i-packed-you-a-couple-renderers-for-lunch
+      rend = Redcarpet::Render::GitlabHTML.new(self, user_color_scheme_class, {
+        with_toc_data:   true,
+        safe_links_only: true,
+        # Handled further down the line by HTML::Pipeline::SanitizationFilter
+        escape_html:     false
+      }.merge(options))
+
+      # see https://github.com/vmg/redcarpet#and-its-like-really-simple-to-use
+      @markdown = Redcarpet::Markdown.new(rend,
+        no_intra_emphasis:   true,
+        tables:              true,
+        fenced_code_blocks:  true,
+        autolink:            true,
+        strikethrough:       true,
+        lax_spacing:         true,
+        space_after_headers: true,
+        superscript:         true
+      )
     end
+
     @markdown.render(text).html_safe
   end