Escape text passed to gfm by link_to_gfm

app/helpers/gitlab_markdown_helper.rb

@@ -12,8 +12,8 @@ module GitlabMarkdownHelper
   # "<a>outer text </a><a>gfm ref</a><a> more outer text</a>").
   def link_to_gfm(body, url, html_options = {})
     return "" if body.blank?
-    
-    gfm_body = gfm(body, html_options)
+
+    gfm_body = gfm(escape_once(body), html_options)
 
     gfm_body.gsub!(%r{<a.*?>.*?</a>}m) do |match|
       "</a>#{match}#{link_to("", url, html_options)[0..-5]}" # "</a>".length +1

app/views/commits/_commit_box.html.haml

@@ -11,10 +11,10 @@
       = link_to tree_project_ref_path(@project, @commit.id), class: "browse-button primary grouped" do
         %strong Browse Code »
     %h3.commit-title.page_title
-      = gfm @commit.title
+      = gfm escape_once(@commit.title)
     - if @commit.description.present?
       %pre.commit-description
-        = gfm @commit.description
+        = gfm escape_once(@commit.description)
   .commit-info
     .row
       .span4