Return a `SafeBuffer` instead of a `String` from the `#gfm_with_options`
method so that Rails doesn't escape our markup.

Also add `<span>` to the sanitization whitelist to avoid breaking syntax
highlighting in code blocks.