haml 4.0.7 → 5.2.2

data/lib/haml/helpers/action_view_mods.rb

@@ -1,40 +1,41 @@
-module ActionView
-  class Base
-    def render_with_haml(*args, &block)
-      options = args.first
-
-      # If render :layout is used with a block, it concats rather than returning
-      # a string so we need it to keep thinking it's Haml until it hits the
-      # sub-render.
-      if is_haml? && !(options.is_a?(Hash) && options[:layout] && block_given?)
-        return non_haml { render_without_haml(*args, &block) }
+# frozen_string_literal: true
+
+module Haml
+  module Helpers
+    module ActionViewMods
+      def render(*args, &block)
+        options = args.first
+
+        # If render :layout is used with a block, it concats rather than returning
+        # a string so we need it to keep thinking it's Haml until it hits the
+        # sub-render.
+        if is_haml? && !(options.is_a?(Hash) && options[:layout] && block_given?)
+          return non_haml { super }
+        end
+        super
       end
-      render_without_haml(*args, &block)
-    end
-    alias_method :render_without_haml, :render
-    alias_method :render, :render_with_haml
 
-    def output_buffer_with_haml
-      return haml_buffer.buffer if is_haml?
-      output_buffer_without_haml
-    end
-    alias_method :output_buffer_without_haml, :output_buffer
-    alias_method :output_buffer, :output_buffer_with_haml
+      def output_buffer
+        return haml_buffer.buffer if is_haml?
+        super
+      end
 
-    def set_output_buffer_with_haml(new_buffer)
-      if is_haml?
-        if Haml::Util.rails_xss_safe? && new_buffer.is_a?(ActiveSupport::SafeBuffer)
-          new_buffer = String.new(new_buffer)
+      def output_buffer=(new_buffer)
+        if is_haml?
+          if Haml::Util.rails_xss_safe? && new_buffer.is_a?(ActiveSupport::SafeBuffer)
+            new_buffer = String.new(new_buffer)
+          end
+          haml_buffer.buffer = new_buffer
+        else
+          super
         end
-        haml_buffer.buffer = new_buffer
-      else
-        set_output_buffer_without_haml new_buffer
       end
     end
-    alias_method :set_output_buffer_without_haml, :output_buffer=
-    alias_method :output_buffer=, :set_output_buffer_with_haml
+    ActionView::Base.send(:prepend, ActionViewMods)
   end
+end
 
+module ActionView
   module Helpers
     module CaptureHelper
       def capture_with_haml(*args, &block)
@@ -42,12 +43,7 @@ module ActionView
           #double assignment is to avoid warnings
           _hamlout = _hamlout = eval('_hamlout', block.binding) # Necessary since capture_haml checks _hamlout
 
-          str = capture_haml(*args, &block)
-
-          # NonCattingString is present in Rails less than 3.1.0. When support
-          # for 3.0 is dropped, this can be removed.
-          return ActionView::NonConcattingString.new(str) if str && defined?(ActionView::NonConcattingString)
-          return str
+          capture_haml(*args, &block)
         else
           capture_without_haml(*args, &block)
         end
@@ -57,17 +53,23 @@ module ActionView
     end
 
     module TagHelper
+      DEFAULT_PRESERVE_OPTIONS = %w(textarea pre code).freeze
+
       def content_tag_with_haml(name, *args, &block)
         return content_tag_without_haml(name, *args, &block) unless is_haml?
 
-        preserve = haml_buffer.options[:preserve].include?(name.to_s)
+        preserve = haml_buffer.options.fetch(:preserve, DEFAULT_PRESERVE_OPTIONS).include?(name.to_s)
 
         if block_given? && block_is_haml?(block) && preserve
-          return content_tag_without_haml(name, *args) {preserve(&block)}
+          return content_tag_without_haml(name, *args) do
+            haml_buffer.fix_textareas!(Haml::Helpers.preserve(&block)).html_safe
+          end
         end
 
         content = content_tag_without_haml(name, *args, &block)
-        content = Haml::Helpers.preserve(content) if preserve && content
+        if preserve && content
+          content = haml_buffer.fix_textareas!(Haml::Helpers.preserve(content)).html_safe
+        end
         content
       end
 
@@ -87,11 +89,9 @@ module ActionView
       end
     end
 
-    if ActionPack::VERSION::MAJOR == 4
-      module Tags
-        class TextArea
-          include HamlSupport
-        end
+    module Tags
+      class TextArea
+        include HamlSupport
       end
     end
 
@@ -118,7 +118,7 @@ module ActionView
               with_tabs(1) {oldproc.call(*args)}
             end
           end
-          res = form_tag_without_haml(url_for_options, options, *parameters_for_url, &proc) + "\n"
+          res = form_tag_without_haml(url_for_options, options, *parameters_for_url, &proc) << "\n"
           res << "\n" if wrap_block
           res
         else
@@ -128,20 +128,5 @@ module ActionView
       alias_method :form_tag_without_haml, :form_tag
       alias_method :form_tag, :form_tag_with_haml
     end
-
-    module FormHelper
-      def form_for_with_haml(object_name, *args, &proc)
-        wrap_block = block_given? && is_haml? && block_is_haml?(proc)
-        if wrap_block
-          oldproc = proc
-          proc = proc {|*subargs| with_tabs(1) {oldproc.call(*subargs)}}
-        end
-        res = form_for_without_haml(object_name, *args, &proc)
-        res << "\n" if wrap_block
-        res
-      end
-      alias_method :form_for_without_haml, :form_for
-      alias_method :form_for, :form_for_with_haml
-    end
   end
-end
+end

data/lib/haml/helpers/action_view_xss_mods.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionView
   module Helpers
     module CaptureHelper

data/lib/haml/helpers/safe_erubi_template.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'action_view'
+
+module Haml
+  class ErubiTemplateHandler < ActionView::Template::Handlers::ERB::Erubi
+
+    def initialize(*args, &blk)
+      @newline_pending = 0
+      super
+    end
+  end
+
+  class SafeErubiTemplate < Tilt::ErubiTemplate
+    def prepare
+      @options.merge! engine_class: Haml::ErubiTemplateHandler
+      super
+    end
+  end
+end

data/lib/haml/helpers/safe_erubis_template.rb

@@ -1,3 +1,7 @@
+# frozen_string_literal: true
+
+require 'action_view'
+
 module Haml
 
   class ErubisTemplateHandler < ActionView::Template::Handlers::Erubis
@@ -26,4 +30,4 @@ module Haml
       [super, '@output_buffer.to_s'].join("\n")
     end
   end
-end
+end

data/lib/haml/helpers/xss_mods.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Haml
   module Helpers
     # This module overrides Haml helpers to work properly
@@ -6,12 +8,15 @@ module Haml
     # to work with Rails' XSS protection methods.
     module XssMods
       def self.included(base)
-        %w[html_escape find_and_preserve preserve list_of surround
-           precede succeed capture_haml haml_concat haml_indent
-           haml_tag escape_once].each do |name|
+        %w[find_and_preserve preserve list_of surround
+           precede succeed capture_haml haml_concat haml_internal_concat haml_indent].each do |name|
           base.send(:alias_method, "#{name}_without_haml_xss", name)
           base.send(:alias_method, name, "#{name}_with_haml_xss")
         end
+        # Those two always have _without_haml_xss
+        %w[html_escape escape_once].each do |name|
+          base.send(:alias_method, name, "#{name}_with_haml_xss")
+        end
       end
 
       # Don't escape text that's already safe,
@@ -61,24 +66,29 @@ module Haml
         Haml::Util.html_safe(capture_haml_without_haml_xss(*args, &block))
       end
 
-      # Input is escaped
+      # Input will be escaped unless this is in a `with_raw_haml_concat`
+      # block. See #Haml::Helpers::ActionViewExtensions#with_raw_haml_concat.
       def haml_concat_with_haml_xss(text = "")
-        raw = instance_variable_defined?('@_haml_concat_raw') ? @_haml_concat_raw : false
-        haml_concat_without_haml_xss(raw ? text : haml_xss_html_escape(text))
+        raw = instance_variable_defined?(:@_haml_concat_raw) ? @_haml_concat_raw : false
+        if raw
+          haml_internal_concat_raw text
+        else
+          haml_internal_concat text
+        end
+        ErrorReturn.new("haml_concat")
       end
 
+      # Input is escaped
+      def haml_internal_concat_with_haml_xss(text="", newline=true, indent=true)
+        haml_internal_concat_without_haml_xss(haml_xss_html_escape(text), newline, indent)
+      end
+      private :haml_internal_concat_with_haml_xss
+
       # Output is always HTML safe
       def haml_indent_with_haml_xss
         Haml::Util.html_safe(haml_indent_without_haml_xss)
       end
 
-      # Input is escaped, haml_concat'ed output is always HTML safe
-      def haml_tag_with_haml_xss(name, *rest, &block)
-        name = haml_xss_html_escape(name.to_s)
-        rest.unshift(haml_xss_html_escape(rest.shift.to_s)) unless [Symbol, Hash, NilClass].any? {|t| rest.first.is_a? t}
-        with_raw_haml_concat {haml_tag_without_haml_xss(name, *rest, &block)}
-      end
-
       # Output is always HTML safe
       def escape_once_with_haml_xss(*args)
         Haml::Util.html_safe(escape_once_without_haml_xss(*args))

data/lib/haml/helpers.rb

@@ -1,3 +1,7 @@
+# frozen_string_literal: true
+
+require 'erb'
+
 module Haml
   # This module contains various helpful methods to make it easier to do various tasks.
   # {Haml::Helpers} is automatically included in the context
@@ -106,7 +110,8 @@ MESSAGE
     #   @yield The block within which to escape newlines
     def find_and_preserve(input = nil, tags = haml_buffer.options[:preserve], &block)
       return find_and_preserve(capture_haml(&block), input || tags) if block
-      re = /<(#{tags.map(&Regexp.method(:escape)).join('|')})([^>]*)>(.*?)(<\/\1>)/im
+      tags = tags.map { |tag| Regexp.escape(tag) }.join('|')
+      re = /<(#{tags})([^>]*)>(.*?)(<\/\1>)/im
       input.to_s.gsub(re) do |s|
         s =~ re # Can't rely on $1, etc. existing since Rails' SafeBuffer#gsub is incompatible
         "<#{$1}#{$2}>#{preserve($3)}</#{$1}>"
@@ -117,17 +122,20 @@ MESSAGE
     # HTML entities so they'll render correctly in
     # whitespace-sensitive tags without screwing up the indentation.
     #
-    # @overload perserve(input)
+    # @overload preserve(input)
     #   Escapes newlines within a string.
     #
     #   @param input [String] The string within which to escape all newlines
-    # @overload perserve
+    # @overload preserve
     #   Escapes newlines within a block of Haml code.
     #
     #   @yield The block within which to escape newlines
     def preserve(input = nil, &block)
       return preserve(capture_haml(&block)) if block
-      input.to_s.chomp("\n").gsub(/\n/, '&#x000A;').gsub(/\r/, '')
+      s = input.to_s.chomp("\n")
+      s.gsub!(/\n/, '&#x000A;')
+      s.delete!("\r")
+      s
     end
     alias_method :flatten, :preserve
 
@@ -190,20 +198,19 @@ MESSAGE
     # @yield [item] A block which contains Haml code that goes within list items
     # @yieldparam item An element of `enum`
     def list_of(enum, opts={}, &block)
-      opts_attributes = opts.empty? ? "" : " ".<<(opts.map{|k,v| "#{k}='#{v}'" }.join(" "))
-      to_return = enum.collect do |i|
+      opts_attributes = opts.map { |k, v| " #{k}='#{v}'" }.join
+      enum.map do |i|
         result = capture_haml(i, &block)
 
         if result.count("\n") > 1
-          result = result.gsub("\n", "\n  ")
+          result.gsub!("\n", "\n  ")
           result = "\n  #{result.strip}\n"
         else
-          result = result.strip
+          result.strip!
         end
 
         %Q!<li#{opts_attributes}>#{result}</li>!
-      end
-      to_return.join("\n")
+      end.join("\n")
     end
 
     # Returns a hash containing default assignments for the `xmlns`, `lang`, and `xml:lang`
@@ -219,7 +226,11 @@ MESSAGE
     # @param lang [String] The value of `xml:lang` and `lang`
     # @return [{#to_s => String}] The attribute hash
     def html_attrs(lang = 'en-US')
-      {:xmlns => "http://www.w3.org/1999/xhtml", 'xml:lang' => lang, :lang => lang}
+      if haml_buffer.options[:format] == :xhtml
+        {:xmlns => "http://www.w3.org/1999/xhtml", 'xml:lang' => lang, :lang => lang}
+      else
+        {:lang => lang}
+      end
     end
 
     # Increments the number of tabs the buffer automatically adds
@@ -370,12 +381,10 @@ MESSAGE
         captured = haml_buffer.buffer.slice!(position..-1)
 
         if captured == '' and value != haml_buffer.buffer
-             captured = (value.is_a?(String) ? value : nil)
+          captured = (value.is_a?(String) ? value : nil)
         end
 
-        return nil if captured.nil?
-        return (haml_buffer.options[:ugly] ? captured : prettify(captured))
-
+        captured
       end
     ensure
       haml_buffer.capture_position = nil
@@ -385,14 +394,34 @@ MESSAGE
     #
     # @param text [#to_s] The text to output
     def haml_concat(text = "")
-      unless haml_buffer.options[:ugly] || haml_indent == 0
-        haml_buffer.buffer << haml_indent <<
-          text.to_s.gsub("\n", "\n" + haml_indent) << "\n"
+      haml_internal_concat text
+      ErrorReturn.new("haml_concat")
+    end
+
+    # Internal method to write directly to the buffer with control of
+    # whether the first line should be indented, and if there should be a
+    # final newline.
+    #
+    # Lines added will have the proper indentation. This can be controlled
+    # for the first line.
+    #
+    # Used by #haml_concat and #haml_tag.
+    #
+    # @param text [#to_s] The text to output
+    # @param newline [Boolean] Whether to add a newline after the text
+    # @param indent [Boolean] Whether to add indentation to the first line
+    def haml_internal_concat(text = "", newline = true, indent = true)
+      if haml_buffer.tabulation == 0
+        haml_buffer.buffer << "#{text}#{"\n" if newline}"
       else
-        haml_buffer.buffer << text.to_s << "\n"
+        haml_buffer.buffer << %[#{haml_indent if indent}#{text.to_s.gsub("\n", "\n#{haml_indent}")}#{"\n" if newline}]
       end
-      ErrorReturn.new("haml_concat")
     end
+    private :haml_internal_concat
+
+    # Allows writing raw content. `haml_internal_concat_raw` isn't
+    # effected by XSS mods. Used by #haml_tag to write the actual tags.
+    alias :haml_internal_concat_raw :haml_internal_concat
 
     # @return [String] The indentation string for the current line
     def haml_indent
@@ -466,14 +495,14 @@ MESSAGE
       attrs.keys.each {|key| attrs[key.to_s] = attrs.delete(key)} unless attrs.empty?
       name, attrs = merge_name_and_attributes(name.to_s, attrs)
 
-      attributes = Haml::Compiler.build_attributes(haml_buffer.html?,
+      attributes = Haml::AttributeBuilder.build_attributes(haml_buffer.html?,
         haml_buffer.options[:attr_wrapper],
         haml_buffer.options[:escape_attrs],
         haml_buffer.options[:hyphenate_data_attrs],
         attrs)
 
       if text.nil? && block.nil? && (haml_buffer.options[:autoclose].include?(name) || flags.include?(:/))
-        haml_concat "<#{name}#{attributes} />"
+        haml_internal_concat_raw "<#{name}#{attributes}#{' /' if haml_buffer.options[:format] == :xhtml}>"
         return ret
       end
 
@@ -483,17 +512,19 @@ MESSAGE
       end
 
       tag = "<#{name}#{attributes}>"
+      end_tag = "</#{name}>"
       if block.nil?
         text = text.to_s
         if text.include?("\n")
-          haml_concat tag
+          haml_internal_concat_raw tag
           tab_up
-          haml_concat text
+          haml_internal_concat text
           tab_down
-          haml_concat "</#{name}>"
+          haml_internal_concat_raw end_tag
         else
-          tag << text << "</#{name}>"
-          haml_concat tag
+          haml_internal_concat_raw tag, false
+          haml_internal_concat text, false, false
+          haml_internal_concat_raw end_tag, true, false
         end
         return ret
       end
@@ -503,69 +534,100 @@ MESSAGE
       end
 
       if flags.include?(:<)
-        tag << capture_haml(&block).strip << "</#{name}>"
-        haml_concat tag
+        haml_internal_concat_raw tag, false
+        haml_internal_concat "#{capture_haml(&block).strip}", false, false
+        haml_internal_concat_raw end_tag, true, false
         return ret
       end
 
-      haml_concat tag
+      haml_internal_concat_raw tag
       tab_up
       block.call
       tab_down
-      haml_concat "</#{name}>"
+      haml_internal_concat_raw end_tag
 
       ret
     end
 
-    # Characters that need to be escaped to HTML entities from user input
-    HTML_ESCAPE = { '&'=>'&amp;', '<'=>'&lt;', '>'=>'&gt;', '"'=>'&quot;', "'"=>'&#039;', }
+    # Conditionally wrap a block in an element. If `condition` is `true` then
+    # this method renders the tag described by the arguments in `tag` (using
+    # \{#haml_tag}) with the given block inside, otherwise it just renders the block.
+    #
+    # For example,
+    #
+    #     - haml_tag_if important, '.important' do
+    #       %p
+    #         A (possibly) important paragraph.
+    #
+    # will produce
+    #
+    #     <div class='important'>
+    #       <p>
+    #         A (possibly) important paragraph.
+    #       </p>
+    #     </div>
+    #
+    # if `important` is truthy, and just
+    #
+    #     <p>
+    #       A (possibly) important paragraph.
+    #     </p>
+    #
+    # otherwise.
+    #
+    # Like \{#haml_tag}, `haml_tag_if` outputs directly to the buffer and its
+    # return value should not be used. Use \{#capture_haml} if you need to use
+    # its results as a string.
+    #
+    # @param condition The condition to test to determine whether to render
+    #   the enclosing tag
+    # @param tag Definition of the enclosing tag. See \{#haml_tag} for details
+    #   (specifically the form that takes a block)
+    def haml_tag_if(condition, *tag)
+      if condition
+        haml_tag(*tag){ yield }
+      else
+        yield
+      end
+      ErrorReturn.new("haml_tag_if")
+    end
 
-    HTML_ESCAPE_REGEX = /[\"><&]/
+    # Characters that need to be escaped to HTML entities from user input
+    HTML_ESCAPE = {'&' => '&amp;', '<' => '&lt;', '>' => '&gt;', '"' => '&quot;', "'" => '&#39;'}.freeze
 
-    if RUBY_VERSION >= '1.9'
-      # Include docs here so they are picked up by Yard
+    HTML_ESCAPE_REGEX = /['"><&]/
 
-      # Returns a copy of `text` with ampersands, angle brackets and quotes
-      # escaped into HTML entities.
-      #
-      # Note that if ActionView is loaded and XSS protection is enabled
-      # (as is the default for Rails 3.0+, and optional for version 2.3.5+),
-      # this won't escape text declared as "safe".
-      #
-      # @param text [String] The string to sanitize
-      # @return [String] The sanitized string
-      def html_escape(text)
-        text = text.to_s
-        text.gsub(HTML_ESCAPE_REGEX, HTML_ESCAPE)
-      end
-    else
-      def html_escape(text)
-        text = text.to_s
-        text.gsub(HTML_ESCAPE_REGEX) {|s| HTML_ESCAPE[s]}
-      end
+    # Returns a copy of `text` with ampersands, angle brackets and quotes
+    # escaped into HTML entities.
+    #
+    # Note that if ActionView is loaded and XSS protection is enabled
+    # (as is the default for Rails 3.0+, and optional for version 2.3.5+),
+    # this won't escape text declared as "safe".
+    #
+    # @param text [String] The string to sanitize
+    # @return [String] The sanitized string
+    def html_escape(text)
+      CGI.escapeHTML(text.to_s)
     end
 
-    HTML_ESCAPE_ONCE_REGEX = /[\"><]|&(?!(?:[a-zA-Z]+|(#\d+));)/
+    # Always escape text regardless of html_safe?
+    alias_method :html_escape_without_haml_xss, :html_escape
 
-    if RUBY_VERSION >= '1.9'
-      # Include docs here so they are picked up by Yard
+    HTML_ESCAPE_ONCE_REGEX = /['"><]|&(?!(?:[a-zA-Z]+|#(?:\d+|[xX][0-9a-fA-F]+));)/
 
-      # Escapes HTML entities in `text`, but without escaping an ampersand
-      # that is already part of an escaped entity.
-      #
-      # @param text [String] The string to sanitize
-      # @return [String] The sanitized string
-      def escape_once(text)
-        text = text.to_s
-        text.gsub(HTML_ESCAPE_ONCE_REGEX, HTML_ESCAPE)
-      end
-    else
-      def escape_once(text)
-        text = text.to_s
-        text.gsub(HTML_ESCAPE_ONCE_REGEX){|s| HTML_ESCAPE[s]}
-      end
+    # Escapes HTML entities in `text`, but without escaping an ampersand
+    # that is already part of an escaped entity.
+    #
+    # @param text [String] The string to sanitize
+    # @return [String] The sanitized string
+    def escape_once(text)
+      text = text.to_s
+      text.gsub(HTML_ESCAPE_ONCE_REGEX, HTML_ESCAPE)
     end
 
+    # Always escape text once regardless of html_safe?
+    alias_method :escape_once_without_haml_xss, :escape_once
+
     # Returns whether or not the current template is a Haml template.
     #
     # This function, unlike other {Haml::Helpers} functions,
@@ -593,7 +655,7 @@ MESSAGE
       # skip merging if no ids or classes found in name
       return name, attributes_hash unless name =~ /^(.+?)?([\.#].*)$/
 
-      return $1 || "div", Buffer.merge_attrs(
+      return $1 || "div", AttributeBuilder.merge_attributes!(
         Haml::Parser.parse_class_and_id($2), attributes_hash)
     end
 
@@ -630,22 +692,6 @@ MESSAGE
       _erbout = _erbout = _hamlout.buffer
       proc { |*args| proc.call(*args) }
     end
-
-    def prettify(text)
-      text = text.split(/^/)
-      text.delete('')
-
-      min_tabs = nil
-      text.each do |line|
-        tabs = line.index(/[^ ]/) || line.length
-        min_tabs ||= tabs
-        min_tabs = min_tabs > tabs ? tabs : min_tabs
-      end
-
-      text.map do |line|
-        line.slice(min_tabs, line.length)
-      end.join
-    end
   end
 end
 
@@ -661,4 +707,3 @@ class Object
     false
   end
 end
-