angular_xss 0.4.1 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eb1a0c1e8ae803433d1bd66dcde3646143295fd909faed0000e4c901d06c2b2c
-  data.tar.gz: 2a712de0b5d20e9bbdc6eba1a361ba5ab7d8b3a817df18ec16ed3f9c5f505e7f
+  metadata.gz: 3b6ab389824dfbb7cb7fa43b90922924b71330f335de953f0a07c9034d8bccaa
+  data.tar.gz: 70d073c5c2377cd8065ace516f34bffac0e22f8ed321b784390b0d125a05ecf3
 SHA512:
-  metadata.gz: d802e1bb79a3dc3ff5a7b51ee4ec11303a28c68920d6f4f456145360376672f67a16ff55de9761f1ae88e1a86a350296ebb8b02b684ed83ac0a355b75fa0961b
-  data.tar.gz: 974517dfd01363d23bec8c776e4198da2e510eea042396c59de17e9d1872e075d4a8ba06d10e73099f018e1c0ca4501cbbc7c9524d49dd277fe396c4ee6a034e
+  metadata.gz: 1a2f62a344faa4bda34bfdfce335058a5a4b58d6f9406ee9d22771494dc1a61fc102c922033ce54123dcb27514a76c035b5e176c87569bb2262ca5d36d8c8982
+  data.tar.gz: d33a56cc8c6e6d3d51feea115007ee8f731633880d07a11f21a2c0c4afb6f9325d5134d3b2565867d3304f8f5531bd0c0126c83656107d019a1e68421ad4e730

data/.github/workflows/test.yml

@@ -15,7 +15,7 @@ jobs:
       matrix:
         include:
         - ruby: 2.5.9
-          gemfile: Gemfile.rails-3.2
+          gemfile: Gemfile.rails-3.2.haml-4
         - ruby: 2.5.9
           gemfile: Gemfile.rails-4.2.haml-4
         - ruby: 2.5.9
@@ -34,14 +34,18 @@ jobs:
         - ruby: 2.7.2
           gemfile: Gemfile.rails-7.0.haml-5
 
-        - ruby: 3.0.1
+        - ruby: 3.2.3
           gemfile: Gemfile.rails-5.1.haml-4
-        - ruby: 3.0.1
+        - ruby: 3.2.3
           gemfile: Gemfile.rails-5.1.haml-5
-        - ruby: 3.0.1
+        - ruby: 3.2.3
           gemfile: Gemfile.rails-6.1.haml-5
-        - ruby: 3.0.1
+        - ruby: 3.2.3
           gemfile: Gemfile.rails-7.0.haml-5
+        - ruby: 3.2.3
+          gemfile: Gemfile.rails-7.1.haml-5
+        - ruby: 3.2.3
+          gemfile: Gemfile.rails-7.1.haml-6
     env:
       BUNDLE_GEMFILE: "${{ matrix.gemfile }}"
     steps:

data/.ruby-version

@@ -1 +1 @@
-2.7.2
+3.2.3

data/CHANGELOG.md

@@ -9,6 +9,19 @@ This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html
 
 ### Breaking changes
 
+## 1.0 2024-07-02
+
+### Compatible changes
+* Bump version to 1.0 as this gem is production-ready for 10 years
+* Declare the gem to be unmaintained
+* Add compatibility with Rails 7.1
+* Add compatibility with HAML 6
+  * NOTE: Don't use HAML 6.0.0. AngularXSS relies on a patch [introduced in 6.0.1](https://github.com/haml/haml/blob/main/CHANGELOG.md#601). Anything newer should be fine - the gem is currently tested against HAML 6.3
+* Refactor our patches to use `Module#prepend` instead of `Module#module_eval`
+* Refactor gem version comparisons to use `Gem::Version` instances
+* Refactor specs to use the `expect` syntax
+* Improve test coverage for more interpolation scenarios in ERB and HAML
+* Add unit tests for patched methods
 
 ## 0.4.1 2022-03-16
 

data/{Gemfile.rails-3.2 → Gemfile.rails-3.2.haml-4}

@@ -5,5 +5,5 @@ gem 'actionpack', '~>3.2'
 gem 'rspec'
 gem 'haml', '=4.0.2'
 gem 'angular_xss', :path => '.'
-gem 'gemika'
+gem 'gemika', '>= 0.8.3'
 gem 'rake'

data/{Gemfile.rails-3.2.lock → Gemfile.rails-3.2.haml-4.lock}

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    angular_xss (0.4.1)
+    angular_xss (1.0.0)
       activesupport
       haml (>= 3.1.5)
 
@@ -28,7 +28,7 @@ GEM
     concurrent-ruby (1.0.5)
     diff-lcs (1.3)
     erubis (2.7.0)
-    gemika (0.6.1)
+    gemika (0.8.3)
     haml (4.0.2)
       tilt
     hike (1.2.3)
@@ -81,11 +81,11 @@ PLATFORMS
 DEPENDENCIES
   actionpack (~> 3.2)
   angular_xss!
-  gemika
+  gemika (>= 0.8.3)
   haml (= 4.0.2)
   railties (~> 3.2)
   rake
   rspec
 
 BUNDLED WITH
-   1.17.3
+   2.1.4

data/Gemfile.rails-4.2.haml-4

@@ -4,5 +4,5 @@ gem 'actionpack', '~>4.2'
 gem 'rspec'
 gem 'haml', '<5'
 gem 'angular_xss', :path => '.'
-gem 'gemika'
+gem 'gemika', '>= 0.8.3'
 gem 'rake'

data/Gemfile.rails-4.2.haml-4.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    angular_xss (0.4.1)
+    angular_xss (1.0.0)
       activesupport
       haml (>= 3.1.5)
 
@@ -31,7 +31,7 @@ GEM
     crass (1.0.3)
     diff-lcs (1.3)
     erubis (2.7.0)
-    gemika (0.6.1)
+    gemika (0.8.3)
     haml (4.0.7)
       tilt
     i18n (0.9.1)
@@ -79,10 +79,10 @@ PLATFORMS
 DEPENDENCIES
   actionpack (~> 4.2)
   angular_xss!
-  gemika
+  gemika (>= 0.8.3)
   haml (< 5)
   rake
   rspec
 
 BUNDLED WITH
-   1.17.3
+   2.1.4

data/Gemfile.rails-4.2.haml-5

@@ -4,5 +4,5 @@ gem 'actionpack', '~>4.2'
 gem 'rspec'
 gem 'haml', '~> 5'
 gem 'angular_xss', :path => '.'
-gem 'gemika'
+gem 'gemika', '>= 0.8.3'
 gem 'rake'

data/Gemfile.rails-4.2.haml-5.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    angular_xss (0.4.1)
+    angular_xss (1.0.0)
       activesupport
       haml (>= 3.1.5)
 
@@ -31,7 +31,7 @@ GEM
     crass (1.0.3)
     diff-lcs (1.3)
     erubis (2.7.0)
-    gemika (0.6.1)
+    gemika (0.8.3)
     haml (5.0.4)
       temple (>= 0.8.0)
       tilt
@@ -81,10 +81,10 @@ PLATFORMS
 DEPENDENCIES
   actionpack (~> 4.2)
   angular_xss!
-  gemika
+  gemika (>= 0.8.3)
   haml (~> 5)
   rake
   rspec
 
 BUNDLED WITH
-   1.17.3
+   2.1.4

data/Gemfile.rails-5.1.haml-4

@@ -4,5 +4,5 @@ gem 'actionpack', '~>5.1'
 gem 'rspec'
 gem 'haml', '< 5'
 gem 'angular_xss', :path => '.'
-gem 'gemika'
+gem 'gemika', '>= 0.8.3'
 gem 'rake'

data/Gemfile.rails-5.1.haml-4.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    angular_xss (0.4.1)
+    angular_xss (1.0.0)
       activesupport
       haml (>= 3.1.5)
 
@@ -31,7 +31,7 @@ GEM
     crass (1.0.3)
     diff-lcs (1.3)
     erubi (1.7.0)
-    gemika (0.6.1)
+    gemika (0.8.3)
     haml (4.0.7)
       tilt
     i18n (0.9.1)
@@ -39,10 +39,12 @@ GEM
     loofah (2.1.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    mini_portile2 (2.3.0)
+    mini_portile2 (2.5.3)
     minitest (5.10.3)
-    nokogiri (1.8.1)
-      mini_portile2 (~> 2.3.0)
+    nokogiri (1.11.7)
+      mini_portile2 (~> 2.5.0)
+      racc (~> 1.4)
+    racc (1.7.3)
     rack (2.0.3)
     rack-test (0.8.2)
       rack (>= 1.0, < 3)
@@ -76,7 +78,7 @@ PLATFORMS
 DEPENDENCIES
   actionpack (~> 5.1)
   angular_xss!
-  gemika
+  gemika (>= 0.8.3)
   haml (< 5)
   rake
   rspec

data/Gemfile.rails-5.1.haml-5

@@ -4,5 +4,5 @@ gem 'actionpack', '~>5.1'
 gem 'rspec'
 gem 'haml', '~> 5'
 gem 'angular_xss', :path => '.'
-gem 'gemika'
+gem 'gemika', '>= 0.8.3'
 gem 'rake'

data/Gemfile.rails-5.1.haml-5.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    angular_xss (0.4.1)
+    angular_xss (1.0.0)
       activesupport
       haml (>= 3.1.5)
 
@@ -31,7 +31,7 @@ GEM
     crass (1.0.3)
     diff-lcs (1.3)
     erubi (1.7.0)
-    gemika (0.6.1)
+    gemika (0.8.3)
     haml (5.0.4)
       temple (>= 0.8.0)
       tilt
@@ -40,10 +40,12 @@ GEM
     loofah (2.1.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    mini_portile2 (2.3.0)
+    mini_portile2 (2.5.3)
     minitest (5.10.3)
-    nokogiri (1.8.1)
-      mini_portile2 (~> 2.3.0)
+    nokogiri (1.11.7)
+      mini_portile2 (~> 2.5.0)
+      racc (~> 1.4)
+    racc (1.7.3)
     rack (2.0.3)
     rack-test (0.8.2)
       rack (>= 1.0, < 3)
@@ -52,7 +54,7 @@ GEM
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.0.3)
       loofah (~> 2.0)
-    rake (12.3.0)
+    rake (13.2.1)
     rspec (3.10.0)
       rspec-core (~> 3.10.0)
       rspec-expectations (~> 3.10.0)
@@ -78,7 +80,7 @@ PLATFORMS
 DEPENDENCIES
   actionpack (~> 5.1)
   angular_xss!
-  gemika
+  gemika (>= 0.8.3)
   haml (~> 5)
   rake
   rspec

data/Gemfile.rails-6.1.haml-5

@@ -4,5 +4,5 @@ gem 'actionpack', '~>6.1'
 gem 'rspec'
 gem 'haml', '~> 5'
 gem 'angular_xss', :path => '.'
-gem 'gemika'
+gem 'gemika', '>= 0.8.3'
 gem 'rake'

data/Gemfile.rails-6.1.haml-5.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    angular_xss (0.4.1)
+    angular_xss (1.0.0)
       activesupport
       haml (>= 3.1.5)
 
@@ -32,7 +32,7 @@ GEM
     crass (1.0.6)
     diff-lcs (1.4.4)
     erubi (1.10.0)
-    gemika (0.6.0)
+    gemika (0.8.3)
     haml (5.2.1)
       temple (>= 0.8.0)
       tilt
@@ -81,7 +81,7 @@ PLATFORMS
 DEPENDENCIES
   actionpack (~> 6.1)
   angular_xss!
-  gemika
+  gemika (>= 0.8.3)
   haml (~> 5)
   rake
   rspec

data/Gemfile.rails-7.0.haml-5

@@ -4,5 +4,5 @@ gem 'actionpack', '~>7.0'
 gem 'rspec'
 gem 'haml', '~> 5'
 gem 'angular_xss', :path => '.'
-gem 'gemika'
+gem 'gemika', '>= 0.8.3'
 gem 'rake'

data/Gemfile.rails-7.0.haml-5.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    angular_xss (0.4.1)
+    angular_xss (1.0.0)
       activesupport
       haml (>= 3.1.5)
 
@@ -31,7 +31,7 @@ GEM
     crass (1.0.6)
     diff-lcs (1.4.4)
     erubi (1.10.0)
-    gemika (0.6.1)
+    gemika (0.8.3)
     haml (5.2.2)
       temple (>= 0.8.0)
       tilt
@@ -40,8 +40,10 @@ GEM
     loofah (2.13.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
+    mini_portile2 (2.6.1)
     minitest (5.15.0)
-    nokogiri (1.12.5-x86_64-linux)
+    nokogiri (1.12.5)
+      mini_portile2 (~> 2.6.1)
       racc (~> 1.4)
     racc (1.6.0)
     rack (2.2.3)
@@ -72,12 +74,12 @@ GEM
       concurrent-ruby (~> 1.0)
 
 PLATFORMS
-  x86_64-linux
+  ruby
 
 DEPENDENCIES
   actionpack (~> 7.0)
   angular_xss!
-  gemika
+  gemika (>= 0.8.3)
   haml (~> 5)
   rake
   rspec

data/Gemfile.rails-7.1.haml-5

@@ -0,0 +1,9 @@
+source 'http://rubygems.org'
+
+gem 'actionpack', '~>7.1'
+gem 'rspec'
+gem 'haml', '~> 5'
+gem 'angular_xss', :path => '.'
+gem 'gemika', '>= 0.8.3'
+gem 'rake'
+gem 'byebug'

data/Gemfile.rails-7.1.haml-5.lock

@@ -0,0 +1,105 @@
+PATH
+  remote: .
+  specs:
+    angular_xss (1.0.0)
+      activesupport
+      haml (>= 3.1.5)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actionpack (7.1.3.4)
+      actionview (= 7.1.3.4)
+      activesupport (= 7.1.3.4)
+      nokogiri (>= 1.8.5)
+      racc
+      rack (>= 2.2.4)
+      rack-session (>= 1.0.1)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    actionview (7.1.3.4)
+      activesupport (= 7.1.3.4)
+      builder (~> 3.1)
+      erubi (~> 1.11)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    activesupport (7.1.3.4)
+      base64
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      connection_pool (>= 2.2.5)
+      drb
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      mutex_m
+      tzinfo (~> 2.0)
+    base64 (0.2.0)
+    bigdecimal (3.1.8)
+    builder (3.3.0)
+    byebug (11.1.3)
+    concurrent-ruby (1.3.3)
+    connection_pool (2.4.1)
+    crass (1.0.6)
+    diff-lcs (1.5.1)
+    drb (2.2.1)
+    erubi (1.13.0)
+    gemika (0.8.3)
+    haml (5.2.2)
+      temple (>= 0.8.0)
+      tilt
+    i18n (1.14.5)
+      concurrent-ruby (~> 1.0)
+    loofah (2.22.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.12.0)
+    minitest (5.23.1)
+    mutex_m (0.2.0)
+    nokogiri (1.16.6-x86_64-linux)
+      racc (~> 1.4)
+    racc (1.8.0)
+    rack (3.1.3)
+    rack-session (2.0.0)
+      rack (>= 3.0.0)
+    rack-test (2.1.0)
+      rack (>= 1.3)
+    rails-dom-testing (2.2.0)
+      activesupport (>= 5.0.0)
+      minitest
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.6.0)
+      loofah (~> 2.21)
+      nokogiri (~> 1.14)
+    rake (13.2.1)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.0)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.1)
+    temple (0.10.3)
+    tilt (2.3.0)
+    tzinfo (2.0.6)
+      concurrent-ruby (~> 1.0)
+
+PLATFORMS
+  x86_64-linux
+
+DEPENDENCIES
+  actionpack (~> 7.1)
+  angular_xss!
+  byebug
+  gemika (>= 0.8.3)
+  haml (~> 5)
+  rake
+  rspec
+
+BUNDLED WITH
+   2.5.13

data/Gemfile.rails-7.1.haml-6

@@ -0,0 +1,9 @@
+source 'http://rubygems.org'
+
+gem 'actionpack', '~>7.1'
+gem 'rspec'
+gem 'haml', '~> 6'
+gem 'angular_xss', :path => '.'
+gem 'gemika', '>= 0.8.3'
+gem 'rake'
+gem 'byebug'

data/Gemfile.rails-7.1.haml-6.lock

@@ -0,0 +1,122 @@
+PATH
+  remote: .
+  specs:
+    angular_xss (1.0.0)
+      activesupport
+      haml (>= 3.1.5)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actionpack (7.1.3.4)
+      actionview (= 7.1.3.4)
+      activesupport (= 7.1.3.4)
+      nokogiri (>= 1.8.5)
+      racc
+      rack (>= 2.2.4)
+      rack-session (>= 1.0.1)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    actionview (7.1.3.4)
+      activesupport (= 7.1.3.4)
+      builder (~> 3.1)
+      erubi (~> 1.11)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    activesupport (7.1.3.4)
+      base64
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      connection_pool (>= 2.2.5)
+      drb
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      mutex_m
+      tzinfo (~> 2.0)
+    base64 (0.2.0)
+    bigdecimal (3.1.8)
+    builder (3.3.0)
+    byebug (11.1.3)
+    concurrent-ruby (1.3.3)
+    connection_pool (2.4.1)
+    crass (1.0.6)
+    diff-lcs (1.5.1)
+    drb (2.2.1)
+    erubi (1.13.0)
+    gemika (0.8.3)
+    haml (6.3.0)
+      temple (>= 0.8.2)
+      thor
+      tilt
+    i18n (1.14.5)
+      concurrent-ruby (~> 1.0)
+    loofah (2.22.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.12.0)
+    minitest (5.24.0)
+    mutex_m (0.2.0)
+    nokogiri (1.16.6-aarch64-linux)
+      racc (~> 1.4)
+    nokogiri (1.16.6-arm-linux)
+      racc (~> 1.4)
+    nokogiri (1.16.6-arm64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.16.6-x86-linux)
+      racc (~> 1.4)
+    nokogiri (1.16.6-x86_64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.16.6-x86_64-linux)
+      racc (~> 1.4)
+    racc (1.8.0)
+    rack (3.1.3)
+    rack-session (2.0.0)
+      rack (>= 3.0.0)
+    rack-test (2.1.0)
+      rack (>= 1.3)
+    rails-dom-testing (2.2.0)
+      activesupport (>= 5.0.0)
+      minitest
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.6.0)
+      loofah (~> 2.21)
+      nokogiri (~> 1.14)
+    rake (13.2.1)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.0)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.1)
+    temple (0.10.3)
+    thor (1.3.1)
+    tilt (2.3.0)
+    tzinfo (2.0.6)
+      concurrent-ruby (~> 1.0)
+
+PLATFORMS
+  aarch64-linux
+  arm-linux
+  arm64-darwin
+  x86-linux
+  x86_64-darwin
+  x86_64-linux
+
+DEPENDENCIES
+  actionpack (~> 7.1)
+  angular_xss!
+  byebug
+  gemika (>= 0.8.3)
+  haml (~> 6)
+  rake
+  rspec
+
+BUNDLED WITH
+   2.5.13

data/README.md

@@ -7,6 +7,12 @@ This gem patches ERB/rails_xss and Haml so Angular interpolation symbols are aut
 
 **This is an unsatisfactory hack.** A better solution is very much desired, but is not possible without some changes in AngularJS. See the [related AngularJS issue](https://github.com/angular/angular.js/issues/5601).
 
+🚧 Notice: unmaintained gem
+------------------
+
+We are no longer actively maintaining this gem.
+
+The `1.0` release added support for HAML 6 and Rails 7.1, so the gem will at least support Rails 3.2 - 7.1 and HAML 4 - 6. `angular_xss` might still work for future versions HAML and Rails, but we won't actively ensure it does.
 
 Disable escaping locally
 ------------------------
@@ -56,11 +62,13 @@ Development
 -----------
 
 - Fork the repository.
-- Push your changes with specs. There is a Rails 3 test application in `spec/app_root` if you need to test integration with a live Rails app.
-- You may run single tests with a specified Rails version via `BUNDLE_GEMFILE=Gemfile.rails-7.0.haml-5 bundle exec rspec ./spec/angular_xss`
+- Prepare your changes, and ensure existing and new test are green:
+  - `bundle exec rake matrix:install` installs all dependencies for all Gemfiles
+  - `bundle exec rake matrix:spec` runs all specs in all configurations
+  - You may run single tests with a specified Rails version via `BUNDLE_GEMFILE=Gemfile.rails-7.0.haml-5 bundle exec rspec ./spec/angular_xss`
+- Push your changes with specs. There is a test application in `spec/app_root` if you need to test integration with a live Rails app.
 - Send a pull request.
 
-
 Credits
 -------
 

data/lib/angular_xss/erb.rb

@@ -1,33 +1,25 @@
-# Use module_eval so we crash when ERB::Util has not yet been loaded.
-ERB::Util.module_eval do
-
-  if private_method_defined? :unwrapped_html_escape # Rails 4.2+
-
-    def unwrapped_html_escape_with_escaping_angular_expressions(s)
-      s = s.to_s
-      if s.html_safe?
-        s
-      else
-        unwrapped_html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape(s))
-      end
+if ERB::Util.private_method_defined? :unwrapped_html_escape
+  # Rails 4.2+
+  # https://github.com/rails/rails/blob/main/activesupport/lib/active_support/core_ext/erb/util.rb
+  module ERBUtilExt
+    def html_escape_once(s)
+      super(AngularXss::Escaper.escape_if_unsafe(s))
     end
 
-    alias_method :unwrapped_html_escape_without_escaping_angular_expressions, :unwrapped_html_escape
-    alias_method :unwrapped_html_escape, :unwrapped_html_escape_with_escaping_angular_expressions
-
-    singleton_class.send(:remove_method, :unwrapped_html_escape)
-    module_function :unwrapped_html_escape
-    module_function :unwrapped_html_escape_without_escaping_angular_expressions
+    def unwrapped_html_escape(s)
+      super(AngularXss::Escaper.escape_if_unsafe(s))
+    end
+    # Note that html_escape() and h() are passively fixed as they are calling the two methods above
+  end
+  ERB::Util.prepend ERBUtilExt
+  ERB::Util.singleton_class.prepend ERBUtilExt
 
-  else # Rails < 4.2
+else
+  ERB::Util.module_eval do
+    # Rails < 4.2
 
     def html_escape_with_escaping_angular_expressions(s)
-      s = s.to_s
-      if s.html_safe?
-        s
-      else
-        html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape(s))
-      end
+      html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape_if_unsafe(s))
     end
 
     alias_method_chain :html_escape, :escaping_angular_expressions
@@ -41,7 +33,5 @@ ERB::Util.module_eval do
     singleton_class.send(:remove_method, :html_escape)
     module_function :html_escape
     module_function :html_escape_without_escaping_angular_expressions
-
   end
-
 end

data/lib/angular_xss/escaper.rb

@@ -27,6 +27,14 @@ module AngularXss
       end
     end
 
+    def self.escape_if_unsafe(string)
+      if string.nil? || string.to_s.html_safe?
+        string
+      else
+        escape(string.to_s)
+      end
+    end
+
     def self.disabled?
       !!Thread.current[XSS_DISABLED_KEY]
     end

data/lib/angular_xss/haml.rb

@@ -1,32 +1,38 @@
-# Haml 5.0 and 5.1 fall back to erb
-if Haml::VERSION < '5'
+haml_version = Gem::Version.new(Haml::VERSION)
+
+if haml_version < Gem::Version.new(5)
   # Use module_eval so we crash when Haml::Helpers has not yet been loaded.
   Haml::Helpers.module_eval do
-
     def html_escape_with_escaping_angular_expressions(s)
-      s = s.to_s
-      if s.html_safe?
-        s
-      else
-        html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape(s))
-      end
+      html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape_if_unsafe(s))
     end
 
     alias_method :html_escape_without_escaping_angular_expressions, :html_escape
     alias_method :html_escape, :html_escape_with_escaping_angular_expressions
   end
+elsif haml_version < Gem::Version.new('5.2')
+  # Haml 5.0 and 5.1 fall back to erb
+elsif haml_version < Gem::Version.new(6)
+  # HAML 5.2+
+  module HTMLEscapeWithoutHAMLWithAngularXSS
+    def html_escape_without_haml_xss(html)
+      super(AngularXss::Escaper.escape_if_unsafe(html))
+    end
+  end
 
-elsif Haml::VERSION >= '5.2' 
-  Haml::Helpers.module_eval do
-
-    def html_escape_without_haml_xss_with_escaping_angular_expressions(s)
-      s = s.to_s
-      return s if s.html_safe?
+  Haml::Helpers.singleton_class.prepend HTMLEscapeWithoutHAMLWithAngularXSS
+else
+  # Haml 6+
+  # It ditched most of is own helpers in favor of Haml::Util.escape_html
+  # https://github.com/haml/haml/blob/main/CHANGELOG.md#600
+  # https://github.com/haml/haml/compare/v5.2.2...v6.3.0
+  # https://github.com/haml/haml/blob/v6.3.0/lib/haml/util.rb
 
-      html_escape_without_haml_xss_without_escaping_angular_expressions(AngularXss::Escaper.escape(s))
+  module EscapeHTMLWithAngularXSS
+    def escape_html(html)
+      super(AngularXss::Escaper.escape_if_unsafe(html))
     end
-
-    alias_method :html_escape_without_haml_xss_without_escaping_angular_expressions, :html_escape_without_haml_xss
-    alias_method :html_escape_without_haml_xss, :html_escape_without_haml_xss_with_escaping_angular_expressions
   end
+
+  Haml::Util.singleton_class.prepend EscapeHTMLWithAngularXSS
 end

data/lib/angular_xss/output_buffer.rb

@@ -0,0 +1,25 @@
+##
+# Monkey patch ActionView::OutputBuffer to escape double braces from Angular
+#
+# Link to the original implementation without Angular XSS escaping:
+# https://github.com/rails/rails/blob/v7.1.3.4/actionview/lib/action_view/buffers.rb
+
+
+if defined?(ActionView::VERSION) && Gem::Version.new(ActionView::VERSION::STRING) >= Gem::Version.new('7.1')
+  # ActionView < 7.1 used our patched ERB::Util.h to escape, 7.1 switched to CGI.escapeHTML
+  module OutputBufferWithEscapedAngularXSS
+    def <<(value)
+      super(AngularXss::Escaper.escape_if_unsafe(value))
+    end
+
+    def concat(value)
+      super(AngularXss::Escaper.escape_if_unsafe(value))
+    end
+
+    def append=(value)
+      super(AngularXss::Escaper.escape_if_unsafe(value))
+    end
+  end
+
+  ActionView::OutputBuffer.prepend OutputBufferWithEscapedAngularXSS
+end

data/lib/angular_xss/version.rb

@@ -1,3 +1,3 @@
 module AngularXss
-  VERSION = '0.4.1'
+  VERSION = '1.0.0'
 end

data/lib/angular_xss.rb

@@ -1,6 +1,7 @@
 #"string".respond_to?(:html_safe?) or raise "No rails_xss implementation present"
 
 require 'angular_xss/escaper'
+require 'angular_xss/output_buffer'
 require 'angular_xss/safe_buffer'
 require 'angular_xss/erb'
 require 'angular_xss/haml'

data/spec/angular_xss/erb_spec.rb

@@ -1,7 +1,50 @@
-require 'spec_helper'
-
 describe 'Angular XSS prevention in ERB', :type => :view do
-
   it_should_behave_like 'engine preventing Angular XSS', :partial => 'test_erb'
+end
+
+describe ERB::Util do
+  describe '#html_escape' do
+    it 'escapes angular braces' do
+      expect(described_class.html_escape("{{unsafe}}")).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+    end
+
+    it 'does not modify already HTML safe strings' do
+      expect(described_class.html_escape("{{safe}}".html_safe)).to eq("{{safe}}")
+    end
+  end
+
+  describe '#h' do
+    it 'escapes angular braces' do
+      expect(described_class.h("{{unsafe}}")).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+    end
+
+    it 'does not modify already HTML safe strings' do
+      expect(described_class.h("{{safe}}".html_safe)).to eq("{{safe}}")
+    end
+  end
+
+  # Rails < 4 does not implement unwrapped_html_escape and html_escape_once
+  if described_class.method_defined? :unwrapped_html_escape
+    describe '#unwrapped_html_escape' do
+      it 'escapes angular braces' do
+        expect(described_class.unwrapped_html_escape("{{unsafe}}")).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+      end
+
+      it 'does not modify already HTML safe strings' do
+        expect(described_class.unwrapped_html_escape("{{safe}}".html_safe)).to eq("{{safe}}")
+      end
+    end
+  end
+
+  if described_class.method_defined? :html_escape_once
+    describe '#html_escape_once' do
+      it 'escapes angular braces' do
+        expect(described_class.html_escape_once("{{unsafe}}")).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+      end
 
+      it 'does not modify already HTML safe strings' do
+        expect(described_class.html_escape_once("{{safe}}".html_safe)).to eq("{{safe}}")
+      end
+    end
+  end
 end

data/spec/angular_xss/escaper_spec.rb

@@ -0,0 +1,21 @@
+describe AngularXss::Escaper do
+  describe '.escape' do
+    it 'replaces double braces with a closed variant' do
+      expect(described_class.escape('{{')).to eq('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}')
+    end
+
+    it 'does not handle HTML safe strings differently' do
+      expect(described_class.escape('{{'.html_safe)).to eq('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}')
+    end
+  end
+
+  describe '.escape_if_unsafe' do
+    it 'replaces double braces with a closed variant' do
+      expect(described_class.escape_if_unsafe('{{')).to eq('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}')
+    end
+
+    it 'does not modify HTML safe strings' do
+      expect(described_class.escape_if_unsafe('{{'.html_safe)).to eq('{{')
+    end
+  end
+end

data/spec/angular_xss/haml_spec.rb

@@ -1,5 +1,3 @@
-require 'spec_helper'
-
 describe 'Angular XSS prevention in Haml', :type => :view do
 
   it_should_behave_like 'engine preventing Angular XSS', :partial => 'test_haml'

data/spec/angular_xss/output_buffer_spec.rb

@@ -0,0 +1,45 @@
+describe ActionView::OutputBuffer do
+  describe '#<<' do
+    it 'escapes angular braces' do
+      expect((subject << "{{unsafe}}").to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+    end
+
+    it 'does not change behavior for already HTML safe strings' do
+      expect((subject << "{{safe}}".html_safe).to_s).to eq("{{safe}}")
+    end
+
+    it 'allows concatting nil' do
+      expect { subject << nil }.to_not raise_error
+    end
+  end
+
+  describe '#concat' do
+    it 'escapes angular braces' do
+      expect((subject.concat "{{unsafe}}").to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+    end
+
+    it 'does not change behavior for already HTML safe strings' do
+      expect((subject.concat "{{safe}}".html_safe).to_s).to eq("{{safe}}")
+    end
+
+    it 'allows concatting nil' do
+      expect { subject.concat nil }.to_not raise_error
+    end
+  end
+
+  describe '#append=' do
+    it 'escapes angular braces' do
+      subject.append = "{{unsafe}}"
+      expect(subject.to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+    end
+
+    it 'does not change behavior for already HTML safe strings' do
+      subject.append = "{{safe}}".html_safe
+      expect(subject.to_s).to eq("{{safe}}")
+    end
+
+    it 'allows concatting nil' do
+      expect { subject.append = nil }.to_not raise_error
+    end
+  end
+end

data/spec/angular_xss/safe_buffer_spec.rb

@@ -1,9 +1,21 @@
-require 'spec_helper'
-
 describe ActiveSupport::SafeBuffer do
 
-  it 'still allows concatting nil' do
-    expect { subject << nil }.to_not raise_error
+  describe '#<<' do
+    it 'escapes angular braces' do
+      subject << "{{unsafe}}"
+      expect(subject.to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+    end
+
+    it 'allows concatting nil' do
+      expect { subject << nil }.to_not raise_error
+    end
+  end
+
+  describe '#+' do
+    it 'escapes angular braces' do
+      combined_string = subject + "{{unsafe}}"
+      expect(combined_string.to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+    end
   end
 
 end

data/spec/spec_helper.rb

@@ -17,7 +17,11 @@ module Rails
 end
 
 require 'haml'
-require 'haml/template'
+if Gem::Version.new(Haml::VERSION) < Gem::Version.new(6)
+  require 'haml/template'
+else
+  require 'haml/rails_template'
+end
 
 require 'angular_xss'
 
@@ -25,13 +29,3 @@ require 'angular_xss'
 Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
 
 TEMPLATE_ROOT = Pathname.new(__dir__).join('templates')
-
-
-RSpec.configure do |config|
-  config.mock_with :rspec do |c|
-    c.syntax = [:should, :expect]
-  end
-  config.expect_with :rspec do |c|
-    c.syntax = [:should, :expect]
-  end
-end

data/spec/support/engine_preventing_angular_xss.rb

@@ -2,7 +2,7 @@ shared_examples_for 'engine preventing Angular XSS' do |partial:|
 
   let(:path_set) { ActionView::LookupContext.new([TEMPLATE_ROOT]) }
 
-  if defined?(ActionView::VERSION) && ActionView::VERSION::MAJOR >= 6
+  if defined?(ActionView::VERSION) && Gem::Version.new(ActionView::VERSION::MAJOR) >= Gem::Version.new(6)
     let(:engine) { ActionView::Base.with_empty_template_cache.new(path_set, {}, nil) }
   else
     let(:engine) { ActionView::Base.new(path_set) }
@@ -11,14 +11,18 @@ shared_examples_for 'engine preventing Angular XSS' do |partial:|
   let(:html) { engine.render(partial) }
 
   it 'escapes Angular interpolation marks in unsafe strings' do
-    html.should_not include('{{unsafe}}')
-    html.should include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
+    expect(html).not_to include('{{unsafe}}')
+    expect(html).to include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
   end
 
   it 'recognizes the many ways to express an opening curly brace in HTML' do
+    # Only unsafe strings are escaped
+    expect(html).to include("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+    expect(html).not_to include("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}safe}}")
 
-    html.should include("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
-    html.should_not include("{{unsafe}}")
+    # Only safe strings with braces are left untouched
+    expect(html).to include("{{safe}}")
+    expect(html).not_to include("{{unsafe}}")
 
     braces = [
      '{',
@@ -35,15 +39,15 @@ shared_examples_for 'engine preventing Angular XSS' do |partial:|
 
     braces.each do |brace1|
       braces.each do |brace2|
-        html.should_not include("#{brace1}#{brace2}unsafe}}")
+        expect(html).not_to include("#{brace1}#{brace2}unsafe}}")
       end
     end
 
   end
 
   it 'does not escape Angular interpolation marks in safe strings' do
-    html.should include("{{safe}}")
-    html.should_not include("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}safe}}")
+    expect(html).to include("{{safe}}")
+    expect(html).not_to include("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}safe}}")
   end
 
   it 'does not escape Angular interpolation marks in a block where AngularXSS is disabled' do
@@ -52,8 +56,8 @@ shared_examples_for 'engine preventing Angular XSS' do |partial:|
       result = html
     end
 
-    result.should include('{{unsafe}}')
-    result.should_not include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
+    expect(result).to include('{{unsafe}}')
+    expect(result).not_to include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
   end
 
   it 'does escape Angular interpolation marks after the block where AngularXSS is disabled' do
@@ -61,27 +65,27 @@ shared_examples_for 'engine preventing Angular XSS' do |partial:|
     end
     result = html
 
-    result.should include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
-    result.should_not include('{{unsafe}}')
+    expect(result).to include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
+    expect(result).not_to include('{{unsafe}}')
   end
 
   it 'is not confused by exceptions in disable blocks' do
     class SomeException < StandardError; end
 
-    proc {
+    expect do
       AngularXss.disable do
         raise SomeException
       end
-    }.should raise_error(SomeException)
+    end.to raise_error(SomeException)
 
-    html.should include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
-    html.should_not include('{{unsafe}}')
+    expect(html).to include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
+    expect(html).not_to include('{{unsafe}}')
   end
 
   it 'does not escape twice' do
     escaped = AngularXss::Escaper.escape('{{')
     double_escaped = AngularXss::Escaper.escape(escaped)
-    html.should_not include(double_escaped)
+    expect(html).not_to include(double_escaped)
   end
 
 end

data/spec/templates/_test_erb.erb

@@ -1,14 +1,23 @@
-<%= "{{unsafe}}" %>
-<%= "{{safe}}".html_safe %>
+<%- unsafe_string = '{{unsafe}}' %>
+<%- safe_string = '{{safe}}'.html_safe %>
+
+<%= unsafe_string %>
+<%= safe_string %>
+
+<%= ''.html_safe + unsafe_string %>
+<%= ''.html_safe + safe_string %>
+
+<%= ''.html_safe << unsafe_string %>
+<%= ''.html_safe << safe_string %>
 
 {{safe}}
 
-<div foo="{{safe}}" bar="<%= '{{unsafe}}' %>">
+<div foo="{{safe}}" bar="<%= unsafe_string %>">
   {{safe}}
 </div>
 
-<%= content_tag(:span, '{{unsafe}}') %>
-<%= content_tag(:span, '{{safe}}'.html_safe) %>
+<%= content_tag(:span, unsafe_string) %>
+<%= content_tag(:span, safe_string) %>
 
 <%= '{&lcub;unsafe}}' %>
 <%= '{&lbrace;unsafe}}' %>

data/spec/templates/_test_haml.haml

@@ -1,11 +1,46 @@
-= "{{unsafe}}"
-#{'{{unsafe}}'}
-= "{{safe}}".html_safe
+-# HTML attributes and static string interpolation in Haml work in different ways:
+-# 1. Under certain conditions, attributes are precompiled.
+-#    We never have to escape those because they can not contain user input.
+-# 2. Whenever there is a Ruby call on attributes, Haml will have to evaluate
+-#    them at runtime. Since they can contain user input, XSS logic applies.
+
+-# precompiled (static)
+- if Gem::Version.new(Haml::VERSION) >= Gem::Version.new(6)
+  -# HAML 6 is smart enough to recognize static strings and will not
+  -# escape it - so neither do we
+  #{'{{safe}}'}
+  = "{{safe}}"
+- else
+  #{'{{unsafe}}'}
+  = "{{unsafe}}"
 
 {{safe}}
+%div(foo='{{safe}}')
+%div{:class => '{{safe}}', :id => '{{safe}}'}
+
+-# Compiled at runtime:
+- unsafe_evaluated_variable = '{{unsafe}}'
+- safe_evaluated_variable = '{{safe}}'.html_safe
+
+= unsafe_evaluated_variable
+= safe_evaluated_variable
+
+#{unsafe_evaluated_variable}
+#{safe_evaluated_variable}
+
+= ''.html_safe + unsafe_evaluated_variable
+= ''.html_safe + safe_evaluated_variable
+
+= ''.html_safe << unsafe_evaluated_variable
+= ''.html_safe << safe_evaluated_variable
 
-= content_tag(:span, '{{unsafe}}')
-= content_tag(:span, '{{safe}}'.html_safe)
+= content_tag(:span, unsafe_evaluated_variable)
+= content_tag(:span, safe_evaluated_variable)
+
+%div{:class => unsafe_evaluated_variable, :id => unsafe_evaluated_variable}
+%div(bar="#{unsafe_evaluated_variable}")
+  %div{:foo => safe_evaluated_variable, :bar => unsafe_evaluated_variable}
+  {{safe}}
 
 = '{&lcub;unsafe}}'
 = '{&lbrace;unsafe}}'
@@ -17,21 +52,3 @@
 = '{&#000000123;unsafe}}'
 = '{&#0000000000000123;unsafe}}'
 = '&lcub;&#x7b;unsafe}}'
-
--# HTML attributes in Haml work in different ways:
--# 1. Under certain conditions, attributes are precompiled.
--#    We never have to escape those because they can not contain user input.
--# 2. Whenever there is a Ruby call on attributes, Haml will have to evaluate
--#    them at runtime. Since they can contain user input, XSS logic applies.
-
--# Precompiled:
-%div(foo='{{safe}}')
-%div{:class => '{{safe}}', :id => '{{safe}}'}
-
--# Compiled at runtime:
-- unsafe = '{{unsafe}}'
-- safe = '{{safe}}'.html_safe
-%div{:class => unsafe, :id => unsafe}
-%div(bar="#{unsafe}")
-  %div{:foo => safe, :bar => unsafe}
-  {{safe}}

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: angular_xss
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 1.0.0
 platform: ruby
 authors:
 - Henning Koch
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-03-16 00:00:00.000000000 Z
+date: 2024-07-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -52,8 +52,8 @@ files:
 - CHANGELOG.md
 - Gemfile
 - Gemfile.lock
-- Gemfile.rails-3.2
-- Gemfile.rails-3.2.lock
+- Gemfile.rails-3.2.haml-4
+- Gemfile.rails-3.2.haml-4.lock
 - Gemfile.rails-4.2.haml-4
 - Gemfile.rails-4.2.haml-4.lock
 - Gemfile.rails-4.2.haml-5
@@ -66,6 +66,10 @@ files:
 - Gemfile.rails-6.1.haml-5.lock
 - Gemfile.rails-7.0.haml-5
 - Gemfile.rails-7.0.haml-5.lock
+- Gemfile.rails-7.1.haml-5
+- Gemfile.rails-7.1.haml-5.lock
+- Gemfile.rails-7.1.haml-6
+- Gemfile.rails-7.1.haml-6.lock
 - LICENSE
 - README.md
 - Rakefile
@@ -75,10 +79,13 @@ files:
 - lib/angular_xss/erb.rb
 - lib/angular_xss/escaper.rb
 - lib/angular_xss/haml.rb
+- lib/angular_xss/output_buffer.rb
 - lib/angular_xss/safe_buffer.rb
 - lib/angular_xss/version.rb
 - spec/angular_xss/erb_spec.rb
+- spec/angular_xss/escaper_spec.rb
 - spec/angular_xss/haml_spec.rb
+- spec/angular_xss/output_buffer_spec.rb
 - spec/angular_xss/safe_buffer_spec.rb
 - spec/spec_helper.rb
 - spec/support/engine_preventing_angular_xss.rb
@@ -104,14 +111,16 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.9
+rubygems_version: 3.5.13
 signing_key: 
 specification_version: 4
 summary: Patches rails_xss and Haml so AngularJS interpolations are auto-escaped in
   unsafe strings.
 test_files:
 - spec/angular_xss/erb_spec.rb
+- spec/angular_xss/escaper_spec.rb
 - spec/angular_xss/haml_spec.rb
+- spec/angular_xss/output_buffer_spec.rb
 - spec/angular_xss/safe_buffer_spec.rb
 - spec/spec_helper.rb
 - spec/support/engine_preventing_angular_xss.rb