haml 3.2.0.beta.2 → 3.2.0.beta.3

data/CHANGELOG.md

@@ -5,23 +5,30 @@
 * HTML5 is now the default output format rather than XHTML. This was already
   the default on Rails 3+, so many users will notice no difference.
 
+* The :sass filter now wraps its output in a script tag, as do the new :less and
+  :scss filters. The :coffee filter wraps its output in a script tag.
+
+* Haml now supports only Rails 3 and above, and Ruby 1.8.7 and above. If you
+  still need support for Rails 2 and Ruby 1.8.6, please use Haml 3.1.x which
+  will continue to be maintained for bug fixes.
+
 * The :javascript and :css filters no longer add CDATA tags when the format is
   html4 or html5. This can be overridden by setting the `cdata` option to
   `true`. CDATA tags are always added when the format is xhtml.
 
 * HTML2Haml has been extracted to a separate gem, creatively named "html2haml".
 
+* The `:erb` filter now uses Rails's safe output buffer to provide XSS safety.
+
 * Haml's internals have been refactored to move the parser, compiler and options
   handling into independent classes, rather than including them all in the
   Engine module. You can also specify your own custom Haml parser or compiler
   class in Haml::Options in order to extend or modify Haml reasonably easily.
 
-* The :sass filter now wraps its output in a script tag, as do the new :less and
-  :scss filters. The :coffee filter wraps its output in a script tag.
-
-* Haml now supports only Rails 3 and above, and Ruby 1.8.7 and above. If you
-  still need support for Rails 2 and Ruby 1.8.6, please use Haml 3.1.x which
-  will continue to be maintained for bug fixes.
+* Add an {file:REFERENCE.md#hyphenate_data_attrs-option `:hyphenate_data_attrs`
+  option} that converts underscores to hyphens in your HTML5 data keys. This is
+  a language change from 3.1 and is enabled by default.
+  (thanks to [Andrew Smith](https://github.com/fullsailor))
 
 * Added `remove_whitespace` option to always remove all whitespace around Haml
   tags. (thanks to [Tim van der Horst](https://github.com/vdh))
@@ -54,11 +61,6 @@
 * Performance improvements.
   (thanks to [Chris Heald](https://github.com/cheald))
 
-* Add an {file:REFERENCE.md#hyphenate_data_attrs-option `:hyphenate_data_attrs`
-  option} that converts underscores to hyphens in your HTML5 data keys. This is
-  a language change from 3.1 and is enabled by default.
-  (thanks to [Andrew Smith](https://github.com/fullsailor))
-
 * Helper `list_of` takes an extra argument that is rendered into list item
   attributes.
   (thanks  [Iain Barnett](http://iainbarnett.me.uk/))

data/lib/haml.rb

@@ -2,11 +2,12 @@ require 'haml/version'
 
 # The module that contains everything Haml-related:
 #
+# * {Haml::Parser} is Haml's parser.
+# * {Haml::Compiler} is Haml's compiler.
+# * {Haml::Engine} is the class used to render Haml within Ruby code.
+# * {Haml::Options} is where Haml's runtime options are defined.
 # * {Haml::Engine} is the class used to render Haml within Ruby code.
-# * {Haml::Helpers} contains Ruby helpers available within Haml templates.
-# * {Haml::Template} interfaces with web frameworks (Rails in particular).
 # * {Haml::Error} is raised when Haml encounters an error.
-# * {Haml::HTML} handles conversion of HTML to Haml.
 #
 # Also see the {file:REFERENCE.md full Haml reference}.
 module Haml

data/lib/haml/helpers/safe_erubis_template.rb

@@ -0,0 +1,20 @@
+module Haml
+  class SafeErubisTemplate < Tilt::ErubisTemplate
+
+    def initialize_engine
+    end
+
+    def prepare
+      @options.merge! :engine_class => ActionView::Template::Handlers::Erubis
+      super
+    end
+
+    def precompiled_preamble(locals)
+      [super, "@output_buffer = output_buffer ||= nil || ActionView::OutputBuffer.new;"]
+    end
+
+    def precompiled_postamble(locals)
+      [super, '@output_buffer.to_s']
+    end
+  end
+end

data/lib/haml/parser.rb

@@ -77,7 +77,7 @@ module Haml
     START_BLOCK_KEYWORDS = %w[if begin case unless]
     # Try to parse assignments to block starters as best as possible
     START_BLOCK_KEYWORD_REGEX = /(?:\w+(?:,\s*\w+)*\s*=\s*)?(#{START_BLOCK_KEYWORDS.join('|')})/
-    BLOCK_KEYWORD_REGEX = /^-\s*(?:(#{MID_BLOCK_KEYWORDS.join('|')})|#{START_BLOCK_KEYWORD_REGEX.source})\b/
+    BLOCK_KEYWORD_REGEX = /^-?\s*(?:(#{MID_BLOCK_KEYWORDS.join('|')})|#{START_BLOCK_KEYWORD_REGEX.source})\b/
 
     # The Regex that matches a Doctype command.
     DOCTYPE_REGEX = /(\d(?:\.\d)?)?[\s]*([a-z]*)\s*([^ ]+)?/i
@@ -269,8 +269,11 @@ module Haml
       text = handle_ruby_multiline(text)
       escape_html = @options[:escape_html] if escape_html.nil?
 
+      keyword = block_keyword(text)
+      check_push_script_stack(keyword)
+
       ParseNode.new(:script, @index, :text => text, :escape_html => escape_html,
-        :preserve => preserve)
+        :preserve => preserve, :keyword => keyword)
     end
 
     def flat_script(text, escape_html = nil)
@@ -286,16 +289,22 @@ module Haml
       text = handle_ruby_multiline(text)
       keyword = block_keyword(text)
 
-      if ["if", "case", "unless"].include?(keyword)
-        @script_level_stack.push(@line.tabs)
-        @tab_up = true
-      end
+      check_push_script_stack(keyword)
 
-      if ["else", "elsif"].include?(keyword)
+      if ["else", "elsif", "when"].include?(keyword)
         if @script_level_stack.empty?
           raise Haml::SyntaxError.new(Error.message(:missing_if, keyword), @line.index)
-        elsif @script_level_stack.last != @line.tabs
-          message = Error.message(:bad_script_indent, keyword, @script_level_stack.last, @line.tabs)
+        end
+
+        if keyword == 'when' and !@script_level_stack.last[2]
+          if @script_level_stack.last[1] + 1 == @line.tabs
+            @script_level_stack.last[1] += 1
+          end
+          @script_level_stack.last[2] = true
+        end
+
+        if @script_level_stack.last[1] != @line.tabs
+          message = Error.message(:bad_script_indent, keyword, @script_level_stack.last[1], @line.tabs)
           raise Haml::SyntaxError.new(message, @line.index)
         end
       end
@@ -304,6 +313,16 @@ module Haml
         :text => text[1..-1], :keyword => keyword)
     end
 
+    def check_push_script_stack(keyword)
+      if ["if", "case", "unless"].include?(keyword)
+        # @script_level_stack contents are arrays of form
+        # [:keyword, stack_level, other_info]
+        @script_level_stack.push([keyword.to_sym, @line.tabs])
+        @script_level_stack.last << false if keyword == 'case'
+        @tab_up = true
+      end
+    end
+
     def haml_comment(text)
       @haml_comment = block_opened?
       ParseNode.new(:haml_comment, @index, :text => text)
@@ -458,6 +477,8 @@ module Haml
       first.children = []
     end
 
+    alias :close_script :close_silent_script
+
     # This is a class method so it can be accessed from {Haml::Helpers}.
     #
     # Iterates through the classes and ids supplied through `.`

data/lib/haml/railtie.rb

@@ -6,3 +6,6 @@ if defined?(ActiveSupport)
     end
   end
 end
+
+require "haml/helpers/safe_erubis_template"
+Haml::Filters::Erb.template_class = Haml::SafeErubisTemplate

data/lib/haml/version.rb

@@ -1,3 +1,3 @@
 module Haml
-  VERSION = "3.2.0.beta.2"
+  VERSION = "3.2.0.beta.3"
 end

data/test/filters_test.rb

@@ -122,13 +122,18 @@ class ErbFilterTest < MiniTest::Unit::TestCase
     assert_equal(html, render(haml))
   end
 
-
   test "should evaluate in the same context as Haml" do
     haml  = ":erb\n  <%= foo %>"
     html  = "bar\n"
     scope = Object.new.instance_eval {foo = "bar"; nil if foo; binding}
     assert_equal(html, render(haml, :scope => scope))
   end
+
+  test "should use Rails's XSS safety features" do
+    assert_equal("&lt;img&gt;\n", render(":erb\n  <%= '<img>' %>"))
+    assert_equal("<img>\n", render(":erb\n  <%= '<img>'.html_safe %>"))
+  end
+
 end
 
 class JavascriptFilterTest < MiniTest::Unit::TestCase

data/test/parser_test.rb

@@ -66,6 +66,33 @@ module Haml
         flunk 'else clause after if containing unless should be accepted'
       end
     end
+    
+    test "loud script with else is accepted" do
+      begin
+        parse "= if true\n  - 'A'\n-else\n  - 'B'"
+        assert true
+      rescue SyntaxError
+        flunk 'loud script (=) should allow else'
+      end
+    end
+
+    test "else after nested loud script is accepted" do
+      begin
+        parse "-if true\n  =if true\n    - 'A'\n-else\n  B"
+        assert true
+      rescue SyntaxError
+        flunk 'else after nested loud script should be accepted'
+      end
+    end
+
+    test "case with indented whens should allow else" do
+      begin
+        parse "- foo = 1\n-case foo\n  -when 1\n    A\n  -else\n    B"
+        assert true
+      rescue SyntaxError
+        flunk 'case with indented whens should allow else'
+      end
+    end
 
     private
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: haml
 version: !ruby/object:Gem::Version
-  version: 3.2.0.beta.2
+  version: 3.2.0.beta.3
   prerelease: 6
 platform: ruby
 authors:
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-08-10 00:00:00.000000000 Z
+date: 2012-08-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tilt
@@ -107,6 +107,7 @@ files:
 - lib/haml/helpers/action_view_extensions.rb
 - lib/haml/helpers/action_view_mods.rb
 - lib/haml/helpers/rails_323_textarea_fix.rb
+- lib/haml/helpers/safe_erubis_template.rb
 - lib/haml/helpers/xss_mods.rb
 - lib/haml/helpers.rb
 - lib/haml/options.rb