diff --git a/gitiles-servlet/BUILD b/gitiles-servlet/BUILD
index bc67ebd..142e14c 100644
--- a/gitiles-servlet/BUILD
+++ b/gitiles-servlet/BUILD
@@ -9,6 +9,7 @@
     "//lib:commons-lang3",
     "//lib:gson",
     "//lib:guava",
+    "//lib:html-types",
     "//lib:joda-time",
     "//lib:jsr305",
     "//lib:commonmark",
diff --git a/gitiles-servlet/src/main/java/com/google/gitiles/RootedDocServlet.java b/gitiles-servlet/src/main/java/com/google/gitiles/RootedDocServlet.java
index 90c6e07..96329b1 100644
--- a/gitiles-servlet/src/main/java/com/google/gitiles/RootedDocServlet.java
+++ b/gitiles-servlet/src/main/java/com/google/gitiles/RootedDocServlet.java
@@ -17,6 +17,7 @@
 import static org.eclipse.jgit.http.server.ServletUtils.ATTRIBUTE_REPOSITORY;
 
 import com.google.gitiles.doc.DocServlet;
+import com.google.gitiles.doc.HtmlSanitizer;
 import java.io.IOException;
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletException;
@@ -48,8 +49,16 @@
       RepositoryResolver<HttpServletRequest> resolver,
       GitilesAccess.Factory accessFactory,
       Renderer renderer) {
+    this(resolver, accessFactory, renderer, HtmlSanitizer.DISABLED_FACTORY);
+  }
+
+  public RootedDocServlet(
+      RepositoryResolver<HttpServletRequest> resolver,
+      GitilesAccess.Factory accessFactory,
+      Renderer renderer,
+      HtmlSanitizer.Factory htmlSanitizer) {
     this.resolver = resolver;
-    docServlet = new DocServlet(accessFactory, renderer);
+    docServlet = new DocServlet(accessFactory, renderer, htmlSanitizer);
   }
 
   @Override
diff --git a/gitiles-servlet/src/main/java/com/google/gitiles/doc/DocServlet.java b/gitiles-servlet/src/main/java/com/google/gitiles/doc/DocServlet.java
index 001b3b2..1a4fce9 100644
--- a/gitiles-servlet/src/main/java/com/google/gitiles/doc/DocServlet.java
+++ b/gitiles-servlet/src/main/java/com/google/gitiles/doc/DocServlet.java
@@ -70,8 +70,16 @@
   // files are automatically hashed as part of the ETag.
   private static final int ETAG_GEN = 5;
 
+  private final HtmlSanitizer.Factory htmlSanitizer;
+
   public DocServlet(GitilesAccess.Factory accessFactory, Renderer renderer) {
+    this(accessFactory, renderer, HtmlSanitizer.DISABLED_FACTORY);
+  }
+
+  public DocServlet(
+      GitilesAccess.Factory accessFactory, Renderer renderer, HtmlSanitizer.Factory htmlSanitizer) {
     super(renderer, accessFactory);
+    this.htmlSanitizer = htmlSanitizer;
   }
 
   @Override
@@ -128,7 +136,8 @@
               .setGitilesView(view)
               .setRequestUri(req.getRequestURI())
               .setReader(reader)
-              .setRootTree(root);
+              .setRootTree(root)
+              .setHtmlSanitizer(htmlSanitizer.create(req));
       Navbar navbar = createNavbar(cfg, fmt, navmd);
       res.setHeader(HttpHeaders.ETAG, curEtag);
       showDoc(req, res, view, fmt, navbar, srcmd);
diff --git a/gitiles-servlet/src/main/java/com/google/gitiles/doc/GitilesHtmlExtension.java b/gitiles-servlet/src/main/java/com/google/gitiles/doc/GitilesHtmlExtension.java
index 834f5fd..e92a52f 100644
--- a/gitiles-servlet/src/main/java/com/google/gitiles/doc/GitilesHtmlExtension.java
+++ b/gitiles-servlet/src/main/java/com/google/gitiles/doc/GitilesHtmlExtension.java
@@ -123,9 +123,6 @@
         return;
       }
     }
-
-    // Discard potentially unsafe HtmlInline.
-    curr.unlink();
   }
 
   private static boolean isAnchorClose(Node n) {
@@ -148,9 +145,6 @@
         }
       }
     }
-
-    // Discard potentially unsafe HtmlBlock.
-    curr.unlink();
   }
 
   private static IframeBlock iframe(String html) {
diff --git a/gitiles-servlet/src/main/java/com/google/gitiles/doc/HtmlSanitizer.java b/gitiles-servlet/src/main/java/com/google/gitiles/doc/HtmlSanitizer.java
new file mode 100644
index 0000000..0c23ce0
--- /dev/null
+++ b/gitiles-servlet/src/main/java/com/google/gitiles/doc/HtmlSanitizer.java
@@ -0,0 +1,32 @@
+// Copyright (C) 2017 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gitiles.doc;
+
+import com.google.common.html.types.SafeHtml;
+import javax.servlet.http.HttpServletRequest;
+
+/** Verifies a user content HTML block is safe. */
+public interface HtmlSanitizer {
+  public static final HtmlSanitizer DISABLED = unused -> SafeHtml.EMPTY;
+  public static final Factory DISABLED_FACTORY = req -> DISABLED;
+
+  /** Verifies the supplied block is safe, or returns {@link SafeHtml#EMPTY}. */
+  SafeHtml sanitize(String html);
+
+  /** Creates an {@link HtmlSanitizer} for this request. */
+  public interface Factory {
+    HtmlSanitizer create(HttpServletRequest req);
+  }
+}
diff --git a/gitiles-servlet/src/main/java/com/google/gitiles/doc/MarkdownToHtml.java b/gitiles-servlet/src/main/java/com/google/gitiles/doc/MarkdownToHtml.java
index b88f4fd..8bcb919 100644
--- a/gitiles-servlet/src/main/java/com/google/gitiles/doc/MarkdownToHtml.java
+++ b/gitiles-servlet/src/main/java/com/google/gitiles/doc/MarkdownToHtml.java
@@ -17,6 +17,7 @@
 import static com.google.gitiles.doc.MarkdownUtil.getInnerText;
 
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.MoreObjects;
 import com.google.common.base.Strings;
 import com.google.gitiles.GitilesView;
 import com.google.gitiles.ThreadSafePrettifyParser;
@@ -81,6 +82,7 @@
     private String filePath;
     private ObjectReader reader;
     private RevTree root;
+    private HtmlSanitizer htmlSanitizer = HtmlSanitizer.DISABLED;
 
     Builder() {}
 
@@ -114,6 +116,11 @@
       return this;
     }
 
+    public Builder setHtmlSanitizer(HtmlSanitizer htmlSanitizer) {
+      this.htmlSanitizer = MoreObjects.firstNonNull(htmlSanitizer, HtmlSanitizer.DISABLED);
+      return this;
+    }
+
     public MarkdownToHtml build() {
       return new MarkdownToHtml(this);
     }
@@ -125,17 +132,23 @@
   private final GitilesView view;
   private final MarkdownConfig config;
   private final String filePath;
+  private final HtmlSanitizer htmlSanitizer;
   private final ImageLoader imageLoader;
   private boolean outputNamedAnchor = true;
 
-  private MarkdownToHtml(Builder b) {
+  protected MarkdownToHtml(Builder b) {
     requestUri = b.requestUri;
     view = b.view;
     config = b.config;
     filePath = b.filePath;
+    htmlSanitizer = b.htmlSanitizer;
     imageLoader = newImageLoader(b);
   }
 
+  protected HtmlBuilder html() {
+    return html;
+  }
+
   private static ImageLoader newImageLoader(Builder b) {
     if (b.reader != null && b.view != null && b.config != null && b.root != null) {
       return new ImageLoader(b.reader, b.view, b.config, b.root);
@@ -501,12 +514,12 @@
 
   @Override
   public void visit(HtmlInline node) {
-    // Discard all HTML.
+    // Discard inline HTML, as it's always partial tags.
   }
 
   @Override
   public void visit(HtmlBlock node) {
-    // Discard all HTML.
+    html.append(htmlSanitizer.sanitize(node.getLiteral()));
   }
 
   private void wrapChildren(String tag, Node node) {
diff --git a/gitiles-servlet/src/main/java/com/google/gitiles/doc/html/HtmlBuilder.java b/gitiles-servlet/src/main/java/com/google/gitiles/doc/html/HtmlBuilder.java
index b8f43b0..8235161 100644
--- a/gitiles-servlet/src/main/java/com/google/gitiles/doc/html/HtmlBuilder.java
+++ b/gitiles-servlet/src/main/java/com/google/gitiles/doc/html/HtmlBuilder.java
@@ -15,10 +15,12 @@
 package com.google.gitiles.doc.html;
 
 import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Preconditions.checkState;
 
 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableSet;
+import com.google.common.html.types.SafeHtml;
 import com.google.gitiles.doc.RuntimeIOException;
 import com.google.template.soy.shared.restricted.EscapingConventions.EscapeHtml;
 import com.google.template.soy.shared.restricted.EscapingConventions.FilterImageDataUri;
@@ -256,6 +258,17 @@
     }
   }
 
+  /** Append a previously determined to be safe HTML fragment. */
+  public void append(SafeHtml html) {
+    checkNotNull(html, "SafeHtml");
+    finishActiveTag();
+    try {
+      htmlBuf.append(html.getSafeHtmlString());
+    } catch (IOException e) {
+      throw new RuntimeIOException(e);
+    }
+  }
+
   /** Finish the document. */
   public void finish() {
     finishActiveTag();