Disable RedCarpet's `escape_html` option

This option defaults to true in RedCarpet 3.2.0, but we handle
sanitization later in the process with html-pipeline.

Closes #2211

app/helpers/gitlab_markdown_helper.rb

@@ -31,15 +31,17 @@ module GitlabMarkdownHelper
   def markdown(text, options={})
     unless @markdown && options == @options
       @options = options
-      gitlab_renderer = Redcarpet::Render::GitlabHTML.new(self,
-                                                          user_color_scheme_class,
-                                                          {
-                            # see https://github.com/vmg/redcarpet#darling-i-packed-you-a-couple-renderers-for-lunch-
+
+      # see https://github.com/vmg/redcarpet#darling-i-packed-you-a-couple-renderers-for-lunch
+      rend = Redcarpet::Render::GitlabHTML.new(self, user_color_scheme_class, {
         with_toc_data:   true,
-                            safe_links_only: true
+        safe_links_only: true,
+        # Handled further down the line by HTML::Pipeline::SanitizationFilter
+        escape_html:     false
       }.merge(options))
-      @markdown = Redcarpet::Markdown.new(gitlab_renderer,
+
       # see https://github.com/vmg/redcarpet#and-its-like-really-simple-to-use
+      @markdown = Redcarpet::Markdown.new(rend,
         no_intra_emphasis:   true,
         tables:              true,
         fenced_code_blocks:  true,
@@ -47,8 +49,10 @@ module GitlabMarkdownHelper
         strikethrough:       true,
         lax_spacing:         true,
         space_after_headers: true,
-                      superscript: true)
+        superscript:         true
+      )
     end
+
     @markdown.render(text).html_safe
   end