Fix SanitizationFilter bugs

Return a `SafeBuffer` instead of a `String` from the `#gfm_with_options` method so that Rails doesn't escape our markup. Also add `<span>` to the sanitization whitelist to avoid breaking syntax highlighting in code blocks.

Fix SanitizationFilter bugs
Return a `SafeBuffer` instead of a `String` from the `#gfm_with_options` method so that Rails doesn't escape our markup. Also add `<span>` to the sanitization whitelist to avoid breaking syntax highlighting in code blocks.
a7afc063 · Vinnie Okada · f5e65e2e · a7afc063
Commit a7afc063 authored Mar 22, 2015 by Vinnie Okada
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

lib/gitlab/markdown.rb lib/gitlab/markdown.rb +2 -1

No files found.
--- a/lib/gitlab/markdown.rb
+++ b/lib/gitlab/markdown.rb
@@ -89,6 +89,7 @@ module Gitlab

      whitelist = HTML::Pipeline::SanitizationFilter::WHITELIST
      whitelist[:attributes][:all].push('class', 'id')
+      whitelist[:elements].push('span')

      # Remove the rel attribute that the sanitize gem adds, and remove the
      # href attribute if it contains inline javascript
@@ -123,7 +124,7 @@ module Gitlab
        text = parse_tasks(text)
      end

-      text
+      text.html_safe
    end

    private