Not working, but slightly better...

modules/base/markdown.go

@@ -340,7 +340,7 @@ OUTER_LOOP:
 func RenderMarkdown(rawBytes []byte, urlPrefix string, metas map[string]string) []byte {
 	result := RenderRawMarkdown(rawBytes, urlPrefix)
 	result = PostProcessMarkdown(result, urlPrefix, metas)
-	result = BuildSanitizer().SanitizeBytes(result)
+	result = Sanitizer.SanitizeBytes(result)
 	return result
 }
 

modules/base/tool.go

@@ -31,17 +31,19 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-func BuildSanitizer() (p *bluemonday.Policy) {
+var Sanitizer = bluemonday.UGCPolicy()
-	p = bluemonday.UGCPolicy()
+
-	p.AllowAttrs("class").Matching(regexp.MustCompile(`[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&]*`)).OnElements("code")
+func BuildSanitizer() {
-
+	// Normal markdown-stuff
-	p.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input")
+	Sanitizer.AllowAttrs("class").Matching(regexp.MustCompile(`[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&]*`)).OnElements("code")
-	p.AllowAttrs("checked", "disabled").OnElements("input")
-	p.AllowURLSchemes(setting.Markdown.CustomURLSchemes...)
-	return p
-}
 
-var Sanitizer = BuildSanitizer()
+	// Checkboxes
+	Sanitizer.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input")
+	Sanitizer.AllowAttrs("checked", "disabled").OnElements("input")
+
+	// Custom URL-Schemes
+	Sanitizer.AllowURLSchemes(setting.Markdown.CustomURLSchemes...)
+}
 
 // EncodeMD5 encodes string to md5 hex value.
 func EncodeMD5(str string) string {

modules/template/template.go

@@ -105,7 +105,7 @@ func Safe(raw string) template.HTML {
 }
 
 func Str2html(raw string) template.HTML {
-	return template.HTML(base.BuildSanitizer().Sanitize(raw))
+	return template.HTML(base.Sanitizer.Sanitize(raw))
 }
 
 func Range(l int) []int {

routers/install.go

@@ -91,6 +91,9 @@ func GlobalInit() {
 		ssh.Listen(setting.SSHPort)
 		log.Info("SSH server started on :%v", setting.SSHPort)
 	}
+
+	// Build Sanitizer
+	base.BuildSanitizer()
 }
 
 func InstallInit(ctx *middleware.Context) {