Commit 13313d9e authored by Robert Speicher's avatar Robert Speicher

Disable RedCarpet's `escape_html` option

This option defaults to true in RedCarpet 3.2.0, but we handle
sanitization later in the process with html-pipeline.

Closes #2211
parent b142d449
......@@ -31,15 +31,17 @@ module GitlabMarkdownHelper
def markdown(text, options={})
unless @markdown && options == @options
@options = options
gitlab_renderer = Redcarpet::Render::GitlabHTML.new(self,
user_color_scheme_class,
{
# see https://github.com/vmg/redcarpet#darling-i-packed-you-a-couple-renderers-for-lunch-
# see https://github.com/vmg/redcarpet#darling-i-packed-you-a-couple-renderers-for-lunch
rend = Redcarpet::Render::GitlabHTML.new(self, user_color_scheme_class, {
with_toc_data: true,
safe_links_only: true
safe_links_only: true,
# Handled further down the line by HTML::Pipeline::SanitizationFilter
escape_html: false
}.merge(options))
@markdown = Redcarpet::Markdown.new(gitlab_renderer,
# see https://github.com/vmg/redcarpet#and-its-like-really-simple-to-use
@markdown = Redcarpet::Markdown.new(rend,
no_intra_emphasis: true,
tables: true,
fenced_code_blocks: true,
......@@ -47,8 +49,10 @@ module GitlabMarkdownHelper
strikethrough: true,
lax_spacing: true,
space_after_headers: true,
superscript: true)
superscript: true
)
end
@markdown.render(text).html_safe
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment