haml-edge 2.3.51 → 2.3.52

data/EDGE_GEM_VERSION

@@ -1 +1 @@
-2.3.51
+2.3.52

data/VERSION

@@ -1 +1 @@
-2.3.51
+2.3.52

data/lib/haml/buffer.rb

@@ -130,6 +130,8 @@ module Haml
     Haml::Util.def_static_method(self, :format_script, [:result],
                                  :preserve_script, :in_tag, :preserve_tag, :escape_html,
                                  :nuke_inner_whitespace, :interpolated, :ugly, <<RUBY)
+      <% # Escape HTML here so that the safety of the string is preserved in Rails
+         result_name = escape_html ? "html_escape(result.to_s)" : "result.to_s" %>
       <% unless ugly %>
         # If we're interpolated,
         # then the custom tabulation is handled in #push_text.
@@ -140,13 +142,11 @@ module Haml
         <% end %>
 
         tabulation = @real_tabs
-        result = result.to_s.<% if nuke_inner_whitespace %>strip<% else %>rstrip<% end %>
+        result = <%= result_name %>.<% if nuke_inner_whitespace %>strip<% else %>rstrip<% end %>
       <% else %>
-        result = result.to_s<% if nuke_inner_whitespace %>.strip<% end %>
+        result = <%= result_name %><% if nuke_inner_whitespace %>.strip<% end %>
       <% end %>
 
-      <% if escape_html %> result = html_escape(result) <% end %>
-
       <% if preserve_tag %>
         result = Haml::Helpers.preserve(result)
       <% elsif preserve_script %>

data/lib/haml/engine.rb

@@ -288,6 +288,7 @@ module Haml
         :ugly => @options[:ugly],
         :format => @options[:format],
         :encoding => @options[:encoding],
+        :escape_html => @options[:escape_html],
       }
     end
 

data/lib/haml/helpers/action_view_extensions.rb

@@ -35,6 +35,21 @@ module Haml
         controller.controller_name + " " + controller.action_name
       end
       alias_method :generate_content_class_names, :page_class
+
+      # Treats all input to \{Haml::Helpers#haml\_concat} within the block
+      # as being HTML safe for Rails' XSS protection.
+      # This is useful for wrapping blocks of code that concatenate HTML en masse.
+      #
+      # This has no effect if Rails' XSS protection isn't enabled.
+      #
+      # @yield A block in which all input to `#haml_concat` is treated as raw.
+      # @see Haml::Util#rails_xss_safe?
+      def with_raw_haml_concat
+        @_haml_concat_raw = true
+        yield
+      ensure
+        @_haml_concat_raw = false
+      end
     end
   end
 end

data/lib/haml/helpers/action_view_mods.rb

@@ -26,6 +26,7 @@ module ActionView
 
       def set_output_buffer_with_haml(new)
         if is_haml?
+          new = String.new(new) if Haml::Util.rails_xss_safe? && new.is_a?(ActionView::SafeBuffer)
           haml_buffer.buffer = new
         else
           set_output_buffer_without_haml new

data/lib/haml/helpers/xss_mods.rb

@@ -0,0 +1,94 @@
+module Haml
+  module Helpers
+    # This module overrides Haml helpers to work properly
+    # in the context of ActionView.
+    # Currently it's only used for modifying the helpers
+    # to work with Rails' XSS protection methods.
+    module XssMods
+      def self.included(base)
+        %w[html_escape find_and_preserve preserve list_of surround
+           precede succeed capture_haml haml_concat haml_indent
+           haml_tag escape_once].each do |name|
+          base.send(:alias_method, "#{name}_without_haml_xss", name)
+          base.send(:alias_method, name, "#{name}_with_haml_xss")
+        end
+      end
+
+      # Don't escape text that's already safe,
+      # output is always HTML safe
+      def html_escape_with_haml_xss(text)
+        return text if text.html_safe?
+        html_escape_without_haml_xss(text).html_safe!
+      end
+
+      # Output is always HTML safe
+      def find_and_preserve_with_haml_xss(*args, &block)
+        find_and_preserve_without_haml_xss(*args, &block).html_safe!
+      end
+
+      # Output is always HTML safe
+      def preserve_with_haml_xss(*args, &block)
+        preserve_without_haml_xss(*args, &block).html_safe!
+      end
+
+      # Output is always HTML safe
+      def list_of_with_haml_xss(*args, &block)
+        list_of_without_haml_xss(*args, &block).html_safe!
+      end
+
+      # Input is escaped, output is always HTML safe
+      def surround_with_haml_xss(front, back = front, &block)
+        surround_without_haml_xss(
+          haml_xss_html_escape(front),
+          haml_xss_html_escape(back),
+          &block).html_safe!
+      end
+
+      # Input is escaped, output is always HTML safe
+      def precede_with_haml_xss(str, &block)
+        precede_without_haml_xss(haml_xss_html_escape(str), &block).html_safe!
+      end
+
+      # Input is escaped, output is always HTML safe
+      def succeed_with_haml_xss(str, &block)
+        succeed_without_haml_xss(haml_xss_html_escape(str), &block).html_safe!
+      end
+
+      # Output is always HTML safe
+      def capture_haml_with_haml_xss(*args, &block)
+        capture_haml_without_haml_xss(*args, &block).html_safe!
+      end
+
+      # Input is escaped
+      def haml_concat_with_haml_xss(text = "")
+        haml_concat_without_haml_xss(@_haml_concat_raw ? text : haml_xss_html_escape(text))
+      end
+
+      # Output is always HTML safe
+      def haml_indent_with_haml_xss
+        haml_indent_without_haml_xss.html_safe!
+      end
+
+      # Input is escaped, haml_concat'ed output is always HTML safe
+      def haml_tag_with_haml_xss(name, *rest, &block)
+        name = haml_xss_html_escape(name.to_s)
+        rest.unshift(haml_xss_html_escape(rest.shift.to_s)) unless [Symbol, Hash, NilClass].any? {|t| rest.first.is_a? t}
+        with_raw_haml_concat {haml_tag_without_haml_xss(name, *rest, &block)}
+      end
+
+      # Output is always HTML safe
+      def escape_once_with_haml_xss(*args)
+        escape_once_without_haml_xss(*args).html_safe!
+      end
+
+      private
+
+      # Escapes the HTML in the text if and only if
+      # Rails XSS protection is enabled *and* the `:escape_html` option is set.
+      def haml_xss_html_escape(text)
+        return text unless Haml::Util.rails_xss_safe? && haml_buffer.options[:escape_html]
+        html_escape(text)
+      end
+    end
+  end
+end

data/lib/haml/helpers.rb

@@ -467,6 +467,10 @@ END
     # Returns a copy of `text` with ampersands, angle brackets and quotes
     # escaped into HTML entities.
     #
+    # Note that if ActionView is loaded and XSS protection is enabled
+    # (as is the default for Rails 3.0+, and optional for version 2.3.5+),
+    # this won't escape text declared as "safe".
+    #
     # @param text [String] The string to sanitize
     # @return [String] The sanitized string
     def html_escape(text)

data/lib/haml/template.rb

@@ -27,6 +27,21 @@ else
   require 'haml/template/patch'
 end
 
+if ActionView::Base.respond_to?(:xss_safe?) && ActionView::Base.xss_safe?
+  Haml::Template.options[:escape_html] = true
+
+  module Haml::Util
+    def rails_xss_safe?
+      true
+    end
+  end
+
+  require 'haml/helpers/xss_mods'
+  module Haml::Helpers
+    include XssMods
+  end
+end
+
 if defined?(RAILS_ROOT)
   # Update init.rb to the current version
   # if it's out of date.

data/lib/haml/util.rb

@@ -122,6 +122,26 @@ module Haml
       end
     end
 
+    ## Rails XSS Safety
+
+    # Whether or not ActionView's XSS protection is available and enabled,
+    # as is the default for Rails 3.0+, and optional for version 2.3.5+.
+    # Overridden in haml/template.rb if this is the case.
+    #
+    # @return [Boolean]
+    def rails_xss_safe?
+      false
+    end
+
+    # Assert that a given object (usually a String) is HTML safe
+    # according to Rails' XSS handling, if it's loaded.
+    #
+    # @param text [Object]
+    def assert_html_safe!(text)
+      return unless rails_xss_safe? && text && !text.to_s.html_safe?
+      raise Haml::Error.new("Expected #{text.inspect} to be HTML-safe.")
+    end
+
     ## Cross-Ruby-Version Compatibility
 
     # Whether or not this is running under Ruby 1.8 or lower.

data/test/haml/template_test.rb

@@ -85,6 +85,7 @@ class TemplateTest < Test::Unit::TestCase
   end
 
   def render(text, opts = {})
+    return @base.render(:inline => text, :type => :haml) if opts == :action_view
     Haml::Engine.new(text, opts).to_html(@base)
   end
 
@@ -95,6 +96,8 @@ class TemplateTest < Test::Unit::TestCase
   end
 
   def assert_renders_correctly(name, &render_method)
+    old_options = Haml::Template.options.dup
+    Haml::Template.options[:escape_html] = false
     if ActionPack::VERSION::MAJOR < 2 ||
         (ActionPack::VERSION::MAJOR == 2 && ActionPack::VERSION::MINOR < 2)
       render_method ||= proc { |name| @base.render(name) }
@@ -112,6 +115,8 @@ class TemplateTest < Test::Unit::TestCase
     else
       raise e
     end
+  ensure
+    Haml::Template.options = old_options
   end
 
   def test_empty_render_should_remain_empty
@@ -176,12 +181,13 @@ class TemplateTest < Test::Unit::TestCase
   end
 
   def test_haml_options
-    Haml::Template.options = { :suppress_eval => true }
-    assert_equal({ :suppress_eval => true }, Haml::Template.options)
+    old_options = Haml::Template.options.dup
+    Haml::Template.options[:suppress_eval] = true
     old_base, @base = @base, create_base
     assert_renders_correctly("eval_suppressed")
+  ensure
     @base = old_base
-    Haml::Template.options = {}
+    Haml::Template.options = old_options
   end
 
   def test_with_output_buffer_with_ugly
@@ -231,5 +237,41 @@ END
     else
       assert false
     end
-  end  
+  end
+
+  ## XSS Protection Tests
+
+  if Haml::Util.rails_xss_safe?
+    def test_escape_html_option_set
+      assert Haml::Template.options[:escape_html]
+    end
+
+    def test_xss_protection
+      assert_equal("Foo &amp; Bar\n", render('= "Foo & Bar"', :action_view))
+    end
+
+    def test_xss_protection_with_safe_strings
+      assert_equal("Foo & Bar\n", render('= "Foo & Bar".html_safe!', :action_view))
+    end
+
+    def test_xss_protection_with_bang
+      assert_equal("Foo & Bar\n", render('!= "Foo & Bar"', :action_view))
+    end
+
+    def test_xss_protection_in_interpolation
+      assert_equal("Foo &amp; Bar\n", render('Foo #{"&"} Bar', :action_view))
+    end
+
+    def test_xss_protection_with_bang_in_interpolation
+      assert_equal("Foo & Bar\n", render('! Foo #{"&"} Bar', :action_view))
+    end
+
+    def test_xss_protection_with_safe_strings_in_interpolation
+      assert_equal("Foo & Bar\n", render('Foo #{"&".html_safe!} Bar', :action_view))
+    end
+
+    def test_xss_protection_with_mixed_strings_in_interpolation
+      assert_equal("Foo & Bar &amp; Baz\n", render('Foo #{"&".html_safe!} Bar #{"&"} Baz', :action_view))
+    end
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: haml-edge
 version: !ruby/object:Gem::Version 
-  version: 2.3.51
+  version: 2.3.52
 platform: ruby
 authors: 
 - Nathan Weizenbaum
@@ -10,7 +10,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-10-16 00:00:00 -04:00
+date: 2009-10-17 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -63,6 +63,7 @@ files:
 - lib/haml/helpers
 - lib/haml/helpers/action_view_extensions.rb
 - lib/haml/helpers/action_view_mods.rb
+- lib/haml/helpers/xss_mods.rb
 - lib/haml/html.rb
 - lib/haml/precompiler.rb
 - lib/haml/shared.rb
@@ -152,8 +153,8 @@ files:
 - test/haml/rhtml/action_view.rhtml
 - test/haml/rhtml/standard.rhtml
 - test/haml/spec
-- test/haml/spec_test.rb
 - test/haml/template_test.rb
+- test/haml/spec_test.rb
 - test/haml/templates
 - test/haml/templates/_av_partial_1.haml
 - test/haml/templates/_av_partial_1_ugly.haml
@@ -300,8 +301,8 @@ test_files:
 - test/haml/engine_test.rb
 - test/haml/helper_test.rb
 - test/haml/html2haml_test.rb
-- test/haml/spec_test.rb
 - test/haml/template_test.rb
+- test/haml/spec_test.rb
 - test/haml/util_test.rb
 - test/sass/css2sass_test.rb
 - test/sass/engine_test.rb