Fix SanitizationFilter bugs

Return a `SafeBuffer` instead of a `String` from the `#gfm_with_options` method so that Rails doesn't escape our markup. Also add `<span>` to the sanitization whitelist to avoid breaking syntax highlighting in code blocks.
author: Vinnie Okada <vokada@mrvinn.com> 2015-03-22 09:02:32 -0600
committer: Vinnie Okada <vokada@mrvinn.com> 2015-03-22 20:17:56 -0600
commit: a7afc0634240f5cddb6c6e1bf1f9fcf4374b852e (patch)
tree: 479dc071012c903fa2a75f35c385f73fe9eed786
parent: f5e65e2e508269ff7c18318526ba01f8e7d83951 (diff)
download: gitlab-ce-a7afc0634240f5cddb6c6e1bf1f9fcf4374b852e.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/gitlab/markdown.rb b/lib/gitlab/markdown.rb
index 65dce9291e6..11da4be4022 100644
--- a/lib/gitlab/markdown.rb
+++ b/lib/gitlab/markdown.rb
@@ -89,6 +89,7 @@ module Gitlab
 
       whitelist = HTML::Pipeline::SanitizationFilter::WHITELIST
       whitelist[:attributes][:all].push('class', 'id')
+      whitelist[:elements].push('span')
 
       # Remove the rel attribute that the sanitize gem adds, and remove the
       # href attribute if it contains inline javascript
@@ -123,7 +124,7 @@ module Gitlab
         text = parse_tasks(text)
       end
 
-      text
+      text.html_safe
     end
 
     private
author	Vinnie Okada <vokada@mrvinn.com>	2015-03-22 09:02:32 -0600
committer	Vinnie Okada <vokada@mrvinn.com>	2015-03-22 20:17:56 -0600
commit	a7afc0634240f5cddb6c6e1bf1f9fcf4374b852e (patch)
tree	479dc071012c903fa2a75f35c385f73fe9eed786
parent	f5e65e2e508269ff7c18318526ba01f8e7d83951 (diff)
download	gitlab-ce-a7afc0634240f5cddb6c6e1bf1f9fcf4374b852e.tar.gz