brakeman 4.8.0 → 5.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9fc685c4c11551609deb40d0f9dd7c52de252bd3d41df2b218b223f9ece39d1d
-  data.tar.gz: 617bad5960914fded62c1b5ac35746058a4727996f99d3c3d5751b0b30ce2dd9
+  metadata.gz: b6672aa0a7532078f913b27574846fc26abd9fc624af178b9017f2de885f5505
+  data.tar.gz: a3eeda0729d72d601bc94f4296f4f878e2cd970ef089f38dd0fcaad2e361f36c
 SHA512:
-  metadata.gz: 1bb7b0dc6ae7c7e238008ed69119e196d2104c2344e405cdb1b27dad28f2ad811ebdbb3876757b46415cd38484ed4011e0f76a8e9ef52ec2a153bcca13bb24c9
-  data.tar.gz: c9d515e506e27ed2b7cebfea3379298d6b1fb58cc05b506256686aed977d003f8cf341066d487fd3f09b7b16907b7cd9c2355170c188321c22992e4faf4a8dd2
+  metadata.gz: 700ed2e62792a1d2a38222199f2030f29aafee865f79e0b57be17fbbc718f6bbc1dadc1f5e3ceab4b961635f165f1fdcd9303520a4e5a897044e682319aca200
+  data.tar.gz: 2f030bd82e1c7bccd70610151c8baec7a0ed4723226e41f9cd0104d56c51cc443ace66ac9ac43381aaee4f27d5ffad807476060eca2d308d5f878370e0bd7874

data/CHANGES.md

@@ -1,4 +1,146 @@
-# Unreleased
+# 5.2.1 - 2022-01-30
+
+* Add warning codes for EOL software warnings
+
+# 5.2.0 - 2021-12-15
+
+* Initial Rails 7 support
+* Require Ruby 2.5.0+
+* Fix issue with calls to `foo.root` in routes
+* Ignore `I18n.locale` in SQL queries
+* Do not treat `sanitize_sql_like` as safe
+* Add new checks for unsupported Ruby and Rails versions
+
+# 5.1.2 - 2021-10-28
+
+* Handle cases where enums are not symbols
+* Support newer Haml with ::Haml::AttributeBuilder.build
+* Fix issue where the previous output is still visible (Jason Frey)
+* Fix warning sorting with nil line numbers
+* Update for latest RubyParser (Ryan Davis)
+
+# 5.1.1 - 2021-07-19
+
+* Unrefactor IgnoreConfig's use of `Brakeman::FilePath`
+
+# 5.1.0 - 2021-07-19
+
+* Initial support for ActiveRecord enums
+* Support `Hash#include?`
+* Interprocedural dataflow from very simple class methods
+* Fix SARIF report when checks have no description (Eli Block)
+* Add ignored warnings to SARIF report (Eli Block)
+* Add `--sql-safe-methods` option (Esty Scheiner)
+* Update SQL injection check for Rails 6.0/6.1
+* Fix false positive in command injection with `Open3.capture` (Richard Fitzgerald)
+* Fix infinite loop on mixin self-includes (Andrew Szczepanski)
+* Ignore dates in SQL
+* Refactor `cookie?`/`param?` methods (Keenan Brock)
+* Ignore renderables in dynamic render path check (Brad Parker)
+* Support `Array#push`
+* Better `Array#join` support
+* Adjust copy of `--interactive` menu (Elia Schito)
+* Support `Array#*`
+* Better method definition tracking and lookup
+* Support `Hash#values` and `Hash#values_at`
+* Check for user-controlled evaluation even if it's a call target
+* Support `Array#fetch` and `Hash#fetch`
+* Ignore `sanitize_sql_like` in SQL
+* Ignore method calls on numbers in SQL
+* Add GitHub Actions format (Klaus Badelt)
+* Read and parse files in parallel
+
+# 5.0.4 - 2021-06-08
+
+(brakeman gem release only)
+
+* Update bundled `ruby_parser` to include argument forwarding support
+
+# 5.0.2 - 2021-06-07
+
+* Fix Loofah version check
+
+# 5.0.1 - 2021-04-27
+
+* Detect `::Rails.application.configure` too
+* Set more line numbers on Sexps
+* Support loading `slim/smart`
+* Don't fail if $HOME/$USER are not defined
+* Always ignore slice/only calls for mass assignment
+* Convert splat array arguments to arguments
+
+# 5.0.0 - 2021-01-26
+
+* Ignore `uuid` as a safe attribute
+* Collapse `__send__` calls
+* Ignore `Tempfile#path` in shell commands
+* Ignore development environment
+* Revamp CSV report to a CSV list of warnings
+* Set Rails configuration defaults based on `load_defaults` version
+* Add check for (more) unsafe method reflection
+* Suggest using `--force` if no Rails application is detected
+* Add Sonarqube report format (Adam England)
+* Add check for potential HTTP verb confusion
+* Add `--[no-]skip-vendor` option
+* Scan (almost) all Ruby files in project
+
+# 4.10.1 - 2020-12-24
+
+* Declare REXML as a dependency (Ruby 3.0 compatibility)
+* Use `Sexp#sexp_body` instead of `Sexp#[..]` (Ruby 3.0 compatibility)
+* Prevent render loops when template names are absolute paths
+* Ensure RubyParser is passed file path as a String
+* Support new Haml 5.2.0 escaping method
+
+# 5.0.0.pre1 - 2020-11-17
+
+* Add check for (more) unsafe method reflection
+* Suggest using `--force` if no Rails application is detected
+* Add Sonarqube report format (Adam England)
+* Add check for potential HTTP verb confusion
+* Add `--[no-]skip-vendor` option
+* Scan (almost) all Ruby files in project
+* Add support for Haml 5.2.0
+
+# 4.10.0 - 2020-09-28
+
+* Add SARIF report format (Steve Winton)
+
+# 4.9.1 - 2020-09-04
+
+* Check `chomp`ed strings for SQL injection
+* Use version from `active_record` for non-Rails apps (Ulysse Buonomo)
+* Always set line number for joined arrays
+* Avoid warning about missing `attr_accessible` if `protected_attributes` gem is used
+
+# 4.9.0 - 2020-08-04
+
+* Add check for CVE-2020-8166 (Jamie Finnigan)
+* Avoid warning when `safe_yaml` is used via `YAML.load(..., safe: true)`
+* Add check for user input in `ERB.new` (Matt Hickman)
+* Add `--ensure-ignore-notes` (Eli Block)
+* Remove whitelist/blacklist language, add clarifications
+* Do not warn about mass assignment with `params.permit!.slice`
+* Add "full call" information to call index results
+* Ignore `params.permit!` in path helpers
+* Treat `Dir.glob` as safe source of values in guards
+* Always scan `environment.rb`
+
+# 4.8.2 - 2020-05-12
+
+* Add check for CVE-2020-8159
+* Fix `authenticate_or_request_with_http_basic` check for passed blocks (Hugo Corbucci)
+* Add `--text-fields` option
+* Add check for escaping HTML entities in JSON configuration
+
+# 4.8.1 - 2020-04-06
+
+* Check SQL query strings using `String#strip` or `String.squish`
+* Handle non-symbol keys in locals hash for render()
+* Warn about global(!) mass assignment
+* Index calls in render arguments
+
+# 4.8.0 - 2020-02-18 
 
 * Add JUnit-XML report format (Naoki Kimura)
 * Sort ignore files by fingerprint and line (Ngan Pham)
@@ -328,7 +470,7 @@
 * Delay loading vendored gems and modifying load path
 * Avoid warning about SQL injection with `quoted_primary_key`
 * Support more safe `&.` operations
-* Allow multile line regex in `validates_format_of` (Dmitrij Fedorenko)
+* Allow multiple line regex in `validates_format_of` (Dmitrij Fedorenko)
 * Only consider `if` branches in templates
 * Avoid overwriting instance/class methods with same name (Tim Wade)
 * Add `--force-scan` option (Neil Matatall)

data/README.md

@@ -16,9 +16,11 @@ Using RubyGems:
 
 Using Bundler:
 
-    group :development do
-      gem 'brakeman'
-    end
+```ruby
+group :development do
+  gem 'brakeman'
+end
+```
 
 Using Docker:
 
@@ -64,7 +66,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
 
 Brakeman should work with any version of Rails from 2.3.x to 6.x.
 
-Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.3.0 to run.
+Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.4.0 to run.
 
 # Basic Options
 
@@ -74,12 +76,16 @@ To specify an output file for the results:
 
     brakeman -o output_file
 
-The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `markdown`, `csv`, and `codeclimate`.
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, and `sonar`.
 
 Multiple output files can be specified:
 
     brakeman -o output.html -o output.json
 
+To output to both a file and to the console, with color:
+
+    brakeman --color -o /dev/stdout -o output.json
+
 To suppress informational warnings and just output the report:
 
     brakeman -q
@@ -153,7 +159,16 @@ The `-w` switch takes a number from 1 to 3, with 1 being low (all warnings) and
 
 # Configuration files
 
-Brakeman options can stored and read from YAML files. To simplify the process of writing a configuration file, the `-C` option will output the currently set options.
+Brakeman options can be stored and read from YAML files.
+
+To simplify the process of writing a configuration file, the `-C` option will output the currently set options:
+
+```sh
+$ brakeman -C --skip-files plugins/
+---
+:skip_files:
+- plugins/
+```
 
 Options passed in on the commandline have priority over configuration files.
 
@@ -167,6 +182,8 @@ There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenk
 
 For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
 
+There are a couple [Github Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
+
 # Building
 
     git clone git://github.com/presidentbeef/brakeman.git

data/bundle/load.rb

@@ -1,14 +1,16 @@
 path = File.expand_path('../..', __FILE__)
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/temple-0.8.2/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/slim-4.0.1/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.16.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/unicode-display_width-1.8.0/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/slim-4.1.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/highline-2.0.3/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-3.14.2/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby2ruby-2.4.4/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/unicode-display_width-1.6.1/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/terminal-table-1.8.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/haml-5.1.2/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/haml-5.2.2/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/parallel-1.21.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/erubis-2.7.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.14.1/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/safe_yaml-1.0.5/lib"

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/CHANGELOG.md

@@ -1,5 +1,29 @@
 # Haml Changelog
 
+## 5.2.2
+Released on July 27, 2021
+([diff](https://github.com/haml/haml/compare/v5.2.1...v5.2.2)).
+
+* Support for adding Annotations to Haml output (a Rails feature 6.1+)
+* Expanded test matrix to include Ruby 3.0 and Rails 6.1
+* Only testing Ruby 2.7+ and Rails 5.2+
+
+## 5.2.1
+
+Released on November 30, 2020
+([diff](https://github.com/haml/haml/compare/v5.2.0...v5.2.1)).
+
+* Add in improved "multiline" support for attributes [#1043](https://github.com/haml/haml/issues/1043)
+
+## 5.2
+
+Released on September 28, 2020
+([diff](https://github.com/haml/haml/compare/v5.1.2...v5.2.0)).
+
+* Fix crash in the attribute optimizer when `#inspect` is overridden in TrueClass / FalseClass [#972](https://github.com/haml/haml/issues/972)
+* Do not HTML-escape templates that are declared to be plaintext [#1014](https://github.com/haml/haml/issues/1014) (Thanks [@cesarizu](https://github.com/cesarizu))
+* Class names are no longer ordered alphabetically, and now follow a new specification as laid out in REFERENCE [#306](https://github.com/haml/haml/issues/306)
+
 ## 5.1.2
 
 Released on August 6, 2019

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/Gemfile

@@ -3,6 +3,7 @@ gemspec
 
 gem "m"
 gem "pry"
+gem "simplecov"
 
 group :docs do
   gem "yard"
@@ -13,7 +14,3 @@ end
 platform :mri do
   gem "ruby-prof"
 end
-
-platform :mri_21 do
-  gem "simplecov"
-end

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/README.md

@@ -1,9 +1,8 @@
 # Haml
 
 [![Gem Version](https://badge.fury.io/rb/haml.svg)](http://rubygems.org/gems/haml)
-[![Build Status](https://travis-ci.org/haml/haml.svg?branch=master)](http://travis-ci.org/haml/haml)
+[![Build Status](https://travis-ci.org/haml/haml.svg?branch=main)](http://travis-ci.org/haml/haml)
 [![Code Climate](https://codeclimate.com/github/haml/haml/badges/gpa.svg)](https://codeclimate.com/github/haml/haml)
-[![Coverage Status](http://img.shields.io/coveralls/haml/haml.svg)](https://coveralls.io/r/haml/haml)
 [![Inline docs](http://inch-ci.org/github/haml/haml.png)](http://inch-ci.org/github/haml/haml)
 
 Haml is a templating engine for HTML. It's designed to make it both easier and
@@ -11,6 +10,13 @@ more pleasant to write HTML documents, by eliminating redundancy, reflecting the
 underlying structure that the document represents, and providing an elegant syntax
 that's both powerful and easy to understand.
 
+### Supported Versions
+
+* Ruby 2.6+
+* Rails 5.1+
+
+Other versions may likely work, but we don't test against them.
+
 ## Basic Usage
 
 Haml can be used from the command line or as part of a Ruby web framework. The
@@ -32,7 +38,7 @@ to compile it to HTML. For more information on these commands, check out
 haml --help
 ~~~
 
-To use Haml programatically, check out the [YARD documentation](http://haml.info/docs/yardoc/).
+To use Haml programmatically, check out the [YARD documentation](http://haml.info/docs/yardoc/).
 
 ## Using Haml with Rails
 
@@ -163,35 +169,34 @@ on a specific area:
 ruby -Itest test/helper_test.rb -n test_buffer_access
 ~~~
 
-Haml currently supports Ruby 2.0.0 and higher, so please make sure your changes run on 2.0+.
+Haml currently supports Ruby 2.7.0 and higher, so please make sure your changes run on 2.7+.
 
 ## Team
 
 ### Current Maintainers
 
-* [Akira Matsuda](https://github.com/amatsuda)
-* [Matt Wildig](https://github.com/mattwildig)
-* [Tee Parham](https://github.com/teeparham)
+* [Hampton Catlin](https://github.com/hcatlin)
 * [Takashi Kokubun](https://github.com/k0kubun)
+* [Akira Matsuda](https://github.com/amatsuda)
 
 ### Alumni
 
 Haml was created by [Hampton Catlin](http://hamptoncatlin.com), the author of
-the original implementation. Hampton is no longer involved in day-to-day coding,
-but still consults on language issues.
+the original implementation.
 
-[Natalie Weizenbaum](http://nex-3.com) was for many years the primary developer
+[Natalie Weizenbaum](https://github.com/nex3) was for many years the primary developer
 and architect of the "modern" Ruby implementation of Haml.
 
-[Norman Clarke](http://github.com/norman) was the primary maintainer of Haml from 2012 to 2016.
-
-## License
+This project's been around for many years, and we have many amazing people who kept the project 
+alive! as former maintainers like:
 
-Some of Natalie's work on Haml was supported by Unspace Interactive.
+[Norman Clarke](http://github.com/norman)
+[Matt Wildig](https://github.com/mattwildig)
+[Tee Parham](https://github.com/teeparham)
 
-Beyond that, the implementation is licensed under the MIT License.
+## License
 
-Copyright (c) 2006-2019 Hampton Catlin, Natalie Weizenbaum and the Haml team
+Copyright (c) 2006-2021 Hampton Catlin, Natalie Weizenbaum and the Haml team
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/REFERENCE.md

@@ -107,13 +107,20 @@ output.
 In Rails, options can be set by setting the {Haml::Template#options Haml::Template.options}
 hash in an initializer:
 
-    # config/initializers/haml.rb
-    Haml::Template.options[:format] = :html5
+```ruby
+# config/initializers/haml.rb
+Haml::Template.options[:format] = :html5
+
+# Avoid escaping attributes which are already escaped
+Haml::Template.options[:escape_attrs] = :once
+```
 
 Outside Rails, you can set them by configuring them globally in
 Haml::Options.defaults:
 
-    Haml::Options.defaults[:format] = :html5
+```ruby
+Haml::Options.defaults[:format] = :html5
+```
 
 In sinatra specifically, you can set them in global config with:
 ```ruby
@@ -228,15 +235,19 @@ is compiled to:
     <html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'></html>
 
 Attribute hashes can also be stretched out over multiple lines to accommodate
-many attributes. However, newlines may only be placed immediately after commas.
-For example:
+many attributes.
 
-    %script{:type => "text/javascript",
-            :src  => "javascripts/script_#{2 + 7}"}
+    %script{
+      "type": text/javascript",
+      "src": javascripts/script_#{2 + 7}",
+      "data": {
+        "controller": "reporter",
+      },
+    }
 
 is compiled to:
 
-    <script src='javascripts/script_9' type='text/javascript'></script>
+    <script src='javascripts/script_9' type='text/javascript' data-controller='reporter'></script>
 
 #### `:class` and `:id` Attributes {#class-and-id-attributes}
 
@@ -517,6 +528,24 @@ and is compiled to:
       </div>
     </div>
 
+#### Class Name Merging and Ordering
+
+Class names are ordered in the following way:
+
+1) Tag identifiers in order (aka, ".alert.me" => "alert me")
+2) Classes appearing in HTML-style attributes
+3) Classes appearing in Hash-style attributes
+
+For instance, this is a complicated and unintuitive test case illustrating the ordering
+
+    .foo.moo{:class => ['bar', 'alpha']}(class='baz')
+
+The resulting HTML would be as follows:
+
+    <div class='foo moo baz bar alpha'></div>
+
+*Versions of Haml prior to 5.0 would alphabetically sort class names.*
+
 ### Empty (void) Tags: `/`
 
 The forward slash character, when placed at the end of a tag definition, causes
@@ -853,7 +882,7 @@ is compiled to:
 
 ## Ruby Evaluation
 
-### Inserting Ruby: `=`
+### Inserting Ruby: `=` {#inserting_ruby}
 
 The equals character is followed by Ruby code. This code is evaluated and the
 output is inserted into the document. For example:
@@ -1323,7 +1352,7 @@ that just need a lot of template information.
 So data structures and  functions that require lots of arguments
 can be wrapped over multiple lines,
 as long as each line but the last ends in a comma
-(see [Inserting Ruby](#inserting_ruby_)).
+(see [Inserting Ruby](#inserting_ruby)).
 
 ## Whitespace Preservation
 

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/haml.gemspec

@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
   spec.license     = "MIT"
   spec.metadata    = {
     "bug_tracker_uri"   => "https://github.com/haml/haml/issues",
-    "changelog_uri"     => "https://github.com/haml/haml/blob/master/CHANGELOG.md",
+    "changelog_uri"     => "https://github.com/haml/haml/blob/main/CHANGELOG.md",
     "documentation_uri" => "http://haml.info/docs.html",
     "homepage_uri"      => "http://haml.info",
     "mailing_list_uri"  => "https://groups.google.com/forum/?fromgroups#!forum/haml",
@@ -32,6 +32,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rbench'
   spec.add_development_dependency 'minitest', '>= 4.0'
   spec.add_development_dependency 'nokogiri'
+  spec.add_development_dependency 'simplecov'
 
   spec.description = <<-END
 Haml (HTML Abstraction Markup Language) is a layer on top of HTML or XML that's

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/attribute_builder.rb

@@ -6,6 +6,17 @@ module Haml
     INVALID_ATTRIBUTE_NAME_REGEX = /[ \0"'>\/=]/
 
     class << self
+      def build(class_id, obj_ref, is_html, attr_wrapper, escape_attrs, hyphenate_data_attrs, *attributes_hashes)
+        attributes = class_id
+        attributes_hashes.each do |old|
+          result = {}
+          old.each { |k, v| result[k.to_s] = v }
+          merge_attributes!(attributes, result)
+        end
+        merge_attributes!(attributes, parse_object_ref(obj_ref)) if obj_ref
+        build_attributes(is_html, attr_wrapper, escape_attrs, hyphenate_data_attrs, attributes)
+      end
+
       def build_attributes(is_html, attr_wrapper, escape_attrs, hyphenate_data_attrs, attributes = {})
         # @TODO this is an absolutely ridiculous amount of arguments. At least
         # some of this needs to be moved into an instance method.
@@ -36,9 +47,9 @@ module Haml
 
           value =
             if escape_attrs == :once
-              Haml::Helpers.escape_once(value.to_s)
+              Haml::Helpers.escape_once_without_haml_xss(value.to_s)
             elsif escape_attrs
-              Haml::Helpers.html_escape(value.to_s)
+              Haml::Helpers.html_escape_without_haml_xss(value.to_s)
             else
               value.to_s
             end
@@ -126,7 +137,7 @@ module Haml
         elsif key == 'class'
           merged_class = filter_and_join(from, ' ')
           if to && merged_class
-            merged_class = (merged_class.split(' ') | to.split(' ')).sort.join(' ')
+            merged_class = (to.split(' ') | merged_class.split(' ')).join(' ')
           elsif to || merged_class
             merged_class ||= to
           end
@@ -159,6 +170,50 @@ module Haml
           hash.merge! flatten_data_attributes(v, joined, join_char, seen)
         end
       end
+
+      # Takes an array of objects and uses the class and id of the first
+      # one to create an attributes hash.
+      # The second object, if present, is used as a prefix,
+      # just like you can do with `dom_id()` and `dom_class()` in Rails
+      def parse_object_ref(ref)
+        prefix = ref[1]
+        ref = ref[0]
+        # Let's make sure the value isn't nil. If it is, return the default Hash.
+        return {} if ref.nil?
+        class_name =
+          if ref.respond_to?(:haml_object_ref)
+            ref.haml_object_ref
+          else
+            underscore(ref.class)
+          end
+        ref_id =
+          if ref.respond_to?(:to_key)
+            key = ref.to_key
+            key.join('_') unless key.nil?
+          else
+            ref.id
+          end
+        id = "#{class_name}_#{ref_id || 'new'}"
+        if prefix
+          class_name = "#{ prefix }_#{ class_name}"
+          id = "#{ prefix }_#{ id }"
+        end
+
+        { 'id'.freeze => id, 'class'.freeze => class_name }
+      end
+
+      # Changes a word from camel case to underscores.
+      # Based on the method of the same name in Rails' Inflector,
+      # but copied here so it'll run properly without Rails.
+      def underscore(camel_cased_word)
+        word = camel_cased_word.to_s.dup
+        word.gsub!(/::/, '_')
+        word.gsub!(/([A-Z]+)([A-Z][a-z])/, '\1_\2')
+        word.gsub!(/([a-z\d])([A-Z])/, '\1_\2')
+        word.tr!('-', '_')
+        word.downcase!
+        word
+      end
     end
   end
 end