haml-edge 2.3.62 → 2.3.63

data/EDGE_GEM_VERSION

@@ -1 +1 @@
-2.3.62
+2.3.63

data/VERSION

@@ -1 +1 @@
-2.3.62
+2.3.63

data/lib/haml/engine.rb

@@ -179,7 +179,8 @@ module Haml
         @haml_buffer = buffer
       end
 
-      eval(precompiled, scope, @options[:filename], @options[:line])
+      eval(precompiled + "\n" + precompiled_method_return_value,
+        scope, @options[:filename], @options[:line])
 
       # Get rid of the current buffer
       scope_object.instance_eval do

data/lib/haml/precompiler.rb

@@ -99,11 +99,17 @@ __in_erb_template = true
 END
       postamble = <<END.gsub("\n", ";")
 @haml_buffer = @haml_buffer.upper
-_erbout
+#{precompiled_method_return_value}
 END
       preamble + locals_code(local_names) + precompiled + postamble
     end
 
+    # Returns the string used as the return value of the precompiled method.
+    # This method exists so it can be monkeypatched to return modified values.
+    def precompiled_method_return_value
+      "_erbout"
+    end
+
     def locals_code(names)
       names = names.keys if Hash == names
 

data/lib/haml/template.rb

@@ -11,6 +11,31 @@ module Haml
     #
     # @return [Hash<Symbol, Object>]
     attr_accessor :options
+
+    # Enables integration with the Rails 2.2.5+ XSS protection,
+    # if it's available and enabled.
+    #
+    # @return [Boolean] Whether the XSS integration was enabled.
+    def try_enabling_xss_integration
+      return false unless ActionView::Base.respond_to?(:xss_safe?) && ActionView::Base.xss_safe?
+
+      Haml::Template.options[:escape_html] = true
+
+      Haml::Util.module_eval {def rails_xss_safe?; true; end}
+
+      require 'haml/helpers/xss_mods'
+      Haml::Helpers.send(:include, Haml::Helpers::XssMods)
+
+      Haml::Precompiler.module_eval do
+        def precompiled_method_return_value_with_haml_xss
+          "(#{precompiled_method_return_value_without_haml_xss}).html_safe!"
+        end
+        alias_method :precompiled_method_return_value_without_haml_xss, :precompiled_method_return_value
+        alias_method :precompiled_method_return_value, :precompiled_method_return_value_with_haml_xss
+      end
+
+      true
+    end
   end
 end
 
@@ -27,19 +52,13 @@ else
   require 'haml/template/patch'
 end
 
-if ActionView::Base.respond_to?(:xss_safe?) && ActionView::Base.xss_safe?
-  Haml::Template.options[:escape_html] = true
-
-  module Haml::Util
-    def rails_xss_safe?
-      true
-    end
-  end
-
-  require 'haml/helpers/xss_mods'
-  module Haml::Helpers
-    include XssMods
-  end
+# Enable XSS integration. Use Rails' after_initialize method if possible
+# so that integration will be checked after the rails_xss plugin is loaded
+# (for Rails 2.3.* where it's not enabled by default).
+if defined?(Rails.configuration.after_initialize)
+  Rails.configuration.after_initialize {Haml::Template.try_enabling_xss_integration}
+else
+  Haml::Template.try_enabling_xss_integration
 end
 
 if defined?(RAILS_ROOT)

data/test/haml/template_test.rb

@@ -241,6 +241,9 @@ END
 
   ## XSS Protection Tests
 
+  # In order to enable these, either test against Rails 3.0
+  # or test against Rails 2.2.5+ with the rails_xss plugin
+  # (http://github.com/NZKoz/rails_xss) in test/plugins.
   if Haml::Util.rails_xss_safe?
     def test_escape_html_option_set
       assert Haml::Template.options[:escape_html]
@@ -273,5 +276,13 @@ END
     def test_xss_protection_with_mixed_strings_in_interpolation
       assert_equal("Foo & Bar & Baz\n", render('Foo #{"&".html_safe!} Bar #{"&"} Baz', :action_view))
     end
+
+    def test_rendered_string_is_html_safe
+      assert(render("Foo").html_safe?)
+    end
+
+    def test_rendered_string_is_html_safe_with_action_view
+      assert(render("Foo", :action_view).html_safe?)
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: haml-edge
 version: !ruby/object:Gem::Version 
-  version: 2.3.62
+  version: 2.3.63
 platform: ruby
 authors: 
 - Nathan Weizenbaum