diff --git a/app/assets/javascripts/defer/html-sanitizer-bundle.js b/app/assets/javascripts/defer/html-sanitizer-bundle.js
index dfc23db40ed..7e524149a35 100644
--- a/app/assets/javascripts/defer/html-sanitizer-bundle.js
+++ b/app/assets/javascripts/defer/html-sanitizer-bundle.js
@@ -2057,7 +2057,13 @@ var html = (function(html4) {
       }
 
       // Discourse modification: give us more flexibility with whitelists
-      if (opt_nmTokenPolicy && opt_nmTokenPolicy(tagName, attribName, value)) { continue; }
+      if (opt_nmTokenPolicy) {
+        var newValue = opt_nmTokenPolicy(tagName, attribName, value);
+        if (newValue) {
+          attribs[i + 1] = newValue;
+          continue;
+        }
+      }
 
       if (atype !== null) {
         switch (atype) {
diff --git a/app/assets/javascripts/discourse/lib/markdown.js b/app/assets/javascripts/discourse/lib/markdown.js
index c7141dd6410..3903892741f 100644
--- a/app/assets/javascripts/discourse/lib/markdown.js
+++ b/app/assets/javascripts/discourse/lib/markdown.js
@@ -14,15 +14,6 @@ var _validClasses = {},
 function validateAttribute(tagName, attribName, value) {
   var tag = _validTags[tagName];
 
-  // Handle possible attacks
-  // if you include html in your markdown, it better be valid
-  //
-  // We are SUPER strict cause nokogiri will sometimes "correct"
-  //  this stuff "incorrectly"
-  if(/[<>"'`]/.test(value)){
-    return;
-  }
-
   // Handle classes
   if (attribName === "class") {
     if (_validClasses[value]) { return value; }