haml 5.0.4 → 5.2.1

data/haml.gemspec

@@ -6,16 +6,22 @@ Gem::Specification.new do |spec|
   spec.summary     = "An elegant, structured (X)HTML/XML templating engine."
   spec.version     = Haml::VERSION
   spec.authors     = ['Natalie Weizenbaum', 'Hampton Catlin', 'Norman Clarke', 'Akira Matsuda']
-  spec.email       = ['haml@googlegroups.com', 'norman@njclarke.com']
+  spec.email       = ['haml@googlegroups.com', 'ronnie@dio.jp']
 
-  readmes          = Dir['*'].reject{ |x| x =~ /(^|[^.a-z])[a-z]+/ || x == "TODO" }
   spec.executables = ['haml']
   spec.files       = `git ls-files -z`.split("\x0").reject do |f|
     f.match(%r{\Atest/})
   end
   spec.homepage    = 'http://haml.info/'
-  spec.has_rdoc    = false
   spec.license     = "MIT"
+  spec.metadata    = {
+    "bug_tracker_uri"   => "https://github.com/haml/haml/issues",
+    "changelog_uri"     => "https://github.com/haml/haml/blob/main/CHANGELOG.md",
+    "documentation_uri" => "http://haml.info/docs.html",
+    "homepage_uri"      => "http://haml.info",
+    "mailing_list_uri"  => "https://groups.google.com/forum/?fromgroups#!forum/haml",
+    "source_code_uri"   => "https://github.com/haml/haml"
+  }
 
   spec.required_ruby_version = '>= 2.0.0'
 
@@ -26,6 +32,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rbench'
   spec.add_development_dependency 'minitest', '>= 4.0'
   spec.add_development_dependency 'nokogiri'
+  spec.add_development_dependency 'simplecov'
 
   spec.description = <<-END
 Haml (HTML Abstraction Markup Language) is a layer on top of HTML or XML that's

data/lib/haml.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'haml/version'
 
 # The module that contains everything Haml-related:

data/lib/haml/attribute_builder.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module Haml
   module AttributeBuilder
     # https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
@@ -35,9 +36,9 @@ module Haml
 
           value =
             if escape_attrs == :once
-              Haml::Helpers.escape_once(value.to_s)
+              Haml::Helpers.escape_once_without_haml_xss(value.to_s)
             elsif escape_attrs
-              Haml::Helpers.html_escape(value.to_s)
+              Haml::Helpers.html_escape_without_haml_xss(value.to_s)
             else
               value.to_s
             end
@@ -125,7 +126,7 @@ module Haml
         elsif key == 'class'
           merged_class = filter_and_join(from, ' ')
           if to && merged_class
-            merged_class = (merged_class.split(' ') | to.split(' ')).sort.join(' ')
+            merged_class = (to.split(' ') | merged_class.split(' ')).join(' ')
           elsif to || merged_class
             merged_class ||= to
           end

data/lib/haml/attribute_compiler.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'haml/attribute_parser'
 
 module Haml
@@ -6,27 +7,7 @@ module Haml
     # @param type [Symbol] :static or :dynamic
     # @param key [String]
     # @param value [String] Actual string value for :static type, value's Ruby literal for :dynamic type.
-    class AttributeValue < Struct.new(:type, :key, :value)
-      # @return [String] A Ruby literal of value.
-      def to_literal
-        case type
-        when :static
-          Haml::Util.inspect_obj(value)
-        when :dynamic
-          value
-        end
-      end
-    end
-
-    # Returns a script to render attributes on runtime.
-    #
-    # @param attributes [Hash]
-    # @param object_ref [String,:nil]
-    # @param dynamic_attributes [DynamicAttributes]
-    # @return [String] Attributes rendering code
-    def self.runtime_build(attributes, object_ref, dynamic_attributes)
-      "_hamlout.attributes(#{Haml::Util.inspect_obj(attributes)}, #{object_ref},#{dynamic_attributes.to_literal})"
-    end
+    AttributeValue = Struct.new(:type, :key, :value)
 
     # @param options [Haml::Options]
     def initialize(options)
@@ -40,16 +21,16 @@ module Haml
     #
     # @param attributes [Hash]
     # @param object_ref [String,:nil]
-    # @param dynamic_attributes [DynamicAttributes]
+    # @param dynamic_attributes [Haml::Parser::DynamicAttributes]
     # @return [Array] Temple expression
     def compile(attributes, object_ref, dynamic_attributes)
       if object_ref != :nil || !AttributeParser.available?
-        return [:dynamic, AttributeCompiler.runtime_build(attributes, object_ref, dynamic_attributes)]
+        return [:dynamic, compile_runtime_build(attributes, object_ref, dynamic_attributes)]
       end
 
       parsed_hashes = [dynamic_attributes.new, dynamic_attributes.old].compact.map do |attribute_hash|
         unless (hash = AttributeParser.parse(attribute_hash))
-          return [:dynamic, AttributeCompiler.runtime_build(attributes, object_ref, dynamic_attributes)]
+          return [:dynamic, compile_runtime_build(attributes, object_ref, dynamic_attributes)]
         end
         hash
       end
@@ -63,6 +44,16 @@ module Haml
 
     private
 
+    # Returns a script to render attributes on runtime.
+    #
+    # @param attributes [Hash]
+    # @param object_ref [String,:nil]
+    # @param dynamic_attributes [Haml::Parser::DynamicAttributes]
+    # @return [String] Attributes rendering code
+    def compile_runtime_build(attributes, object_ref, dynamic_attributes)
+      "_hamlout.attributes(#{to_literal(attributes)}, #{object_ref}, #{dynamic_attributes.to_literal})"
+    end
+
     # Build array of grouped values whose sort order may go back and forth, which is also sorted with key name.
     # This method needs to group values with the same start because it can be changed in `Haml::AttributeBuidler#build_data_keys`.
     # @param values [Array<Haml::AttributeCompiler::AttributeValue>]
@@ -129,7 +120,7 @@ module Haml
 
       arguments = [@is_html, @attr_wrapper, @escape_attrs, @hyphenate_data_attrs]
       code = "::Haml::AttributeBuilder.build_attributes"\
-        "(#{arguments.map { |a| Haml::Util.inspect_obj(a) }.join(', ')}, { #{hash_content} })"
+        "(#{arguments.map(&method(:to_literal)).join(', ')}, { #{hash_content} })"
       [:static, eval(code).to_s]
     end
 
@@ -138,16 +129,16 @@ module Haml
     # @return [String]
     def merged_value(key, values)
       if values.size == 1
-        values.first.to_literal
+        attr_literal(values.first)
       else
-        "::Haml::AttributeBuilder.merge_values(#{frozen_string(key)}, #{values.map(&:to_literal).join(', ')})"
+        "::Haml::AttributeBuilder.merge_values(#{frozen_string(key)}, #{values.map(&method(:attr_literal)).join(', ')})"
       end
     end
 
     # @param str [String]
     # @return [String]
     def frozen_string(str)
-      "#{Haml::Util.inspect_obj(str)}.freeze"
+      "#{to_literal(str)}.freeze"
     end
 
     # Compiles attribute values for one key to Temple expression that generates ` key='value'`.
@@ -156,7 +147,7 @@ module Haml
     # @param values [Array<AttributeValue>]
     # @return [Array] Temple expression
     def compile_attribute(key, values)
-      if values.all? { |v| Temple::StaticAnalyzer.static?(v.to_literal) }
+      if values.all? { |v| Temple::StaticAnalyzer.static?(attr_literal(v)) }
         return static_build(values)
       end
 
@@ -180,7 +171,7 @@ module Haml
         ['false, nil', [:multi]],
         [:else, [:multi,
                  [:static, " #{id_or_class}=#{@attr_wrapper}"],
-                 [:escape, @escape_attrs, [:dynamic, var]],
+                 [:escape, Escapable::EscapeSafeBuffer.new(@escape_attrs), [:dynamic, var]],
                  [:static, @attr_wrapper]],
         ]
        ],
@@ -200,7 +191,7 @@ module Haml
         ['false, nil', [:multi]],
         [:else, [:multi,
                  [:static, " #{key}=#{@attr_wrapper}"],
-                 [:escape, @escape_attrs, [:dynamic, var]],
+                 [:escape, Escapable::EscapeSafeBuffer.new(@escape_attrs), [:dynamic, var]],
                  [:static, @attr_wrapper]],
         ]
        ],
@@ -219,5 +210,26 @@ module Haml
       @unique_name ||= 0
       "_haml_attribute_compiler#{@unique_name += 1}"
     end
+
+    # @param [Haml::AttributeCompiler::AttributeValue] attr
+    def attr_literal(attr)
+      case attr.type
+      when :static
+        to_literal(attr.value)
+      when :dynamic
+        attr.value
+      end
+    end
+
+    # For haml/haml#972
+    # @param [Object] value
+    def to_literal(value)
+      case value
+      when true, false
+        value.to_s
+      else
+        Haml::Util.inspect_obj(value)
+      end
+    end
   end
 end

data/lib/haml/attribute_parser.rb

@@ -1,8 +1,10 @@
 # frozen_string_literal: true
+
 begin
   require 'ripper'
 rescue LoadError
 end
+require 'temple/static_analyzer'
 
 module Haml
   # Haml::AttriubuteParser parses Hash literal to { String (key name) => String (value literal) }.
@@ -14,7 +16,7 @@ module Haml
     TYPE = 1
     TEXT = 2
 
-    IGNORED_TYPES = %i[on_sp on_ignored_nl]
+    IGNORED_TYPES = %i[on_sp on_ignored_nl].freeze
 
     class << self
       # @return [Boolean] - return true if AttributeParser.parse can be used.

data/lib/haml/buffer.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module Haml
   # This class is used only internally. It holds the buffer of HTML that
   # is eventually output as the resulting document.
@@ -132,7 +133,9 @@ module Haml
     def attributes(class_id, obj_ref, *attributes_hashes)
       attributes = class_id
       attributes_hashes.each do |old|
-        AttributeBuilder.merge_attributes!(attributes, Hash[old.map {|k, v| [k.to_s, v]}])
+        result = {}
+        old.each { |k, v| result[k.to_s] = v }
+        AttributeBuilder.merge_attributes!(attributes, result)
       end
       AttributeBuilder.merge_attributes!(attributes, parse_object_ref(obj_ref)) if obj_ref
       AttributeBuilder.build_attributes(

data/lib/haml/compiler.rb

@@ -1,4 +1,5 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
+
 require 'haml/attribute_builder'
 require 'haml/attribute_compiler'
 require 'haml/temple_line_counter'
@@ -167,7 +168,7 @@ module Haml
     end
 
     def compile_filter
-      unless filter = @filters[@node.value[:name]]
+      unless (filter = @filters[@node.value[:name]])
         name = @node.value[:name]
         if ["maruku", "textile"].include?(name)
           raise Error.new(Error.message(:install_haml_contrib, name), @node.line - 1)
@@ -187,30 +188,28 @@ module Haml
 
       if @options.html5?
         '<!DOCTYPE html>'
-      else
-        if @options.xhtml?
-          if @node.value[:version] == "1.1"
-            '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">'
-          elsif @node.value[:version] == "5"
-            '<!DOCTYPE html>'
-          else
-            case @node.value[:type]
-            when "strict";   '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">'
-            when "frameset"; '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">'
-            when "mobile";   '<!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/xhtml-mobile12.dtd">'
-            when "rdfa";     '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">'
-            when "basic";    '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.1//EN" "http://www.w3.org/TR/xhtml-basic/xhtml-basic11.dtd">'
-            else             '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">'
-            end
-          end
-
-        elsif @options.html4?
+      elsif @options.xhtml?
+        if @node.value[:version] == "1.1"
+          '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">'
+        elsif @node.value[:version] == "5"
+          '<!DOCTYPE html>'
+        else
           case @node.value[:type]
-          when "strict";   '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">'
-          when "frameset"; '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">'
-          else             '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">'
+          when "strict";   '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">'
+          when "frameset"; '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">'
+          when "mobile";   '<!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/xhtml-mobile12.dtd">'
+          when "rdfa";     '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">'
+          when "basic";    '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.1//EN" "http://www.w3.org/TR/xhtml-basic/xhtml-basic11.dtd">'
+          else             '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">'
           end
         end
+
+      elsif @options.html4?
+        case @node.value[:type]
+        when "strict";   '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">'
+        when "frameset"; '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">'
+        else             '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">'
+        end
       end
     end
 
@@ -315,7 +314,7 @@ module Haml
 
       case last.first
       when :text
-        last[1].rstrip!
+        last[1] = last[1].rstrip
         if last[1].empty?
           @to_merge.slice! index
           rstrip_buffer! index

data/lib/haml/engine.rb

@@ -1,4 +1,5 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
+
 require 'forwardable'
 
 require 'haml/parser'
@@ -51,6 +52,9 @@ module Haml
     #   see {file:REFERENCE.md#options the Haml options documentation}
     # @raise [Haml::Error] if there's a Haml syntax error in the template
     def initialize(template, options = {})
+      # Reflect changes of `Haml::Options.defaults` to `Haml::TempleEngine` options, but `#initialize_encoding`
+      # should be run against the arguemnt `options[:encoding]` for backward compatibility with old `Haml::Engine`.
+      options = Options.defaults.dup.tap { |o| o.delete(:encoding) }.merge!(options)
       @options = Options.new(options)
 
       @template = check_haml_encoding(template) do |msg, line|
@@ -166,8 +170,13 @@ module Haml
       end
 
       begin
-        eval("Proc.new { |*_haml_locals| _haml_locals = _haml_locals[0] || {};" <<
-             @temple_engine.precompiled_with_ambles(local_names) << "}\n", scope, @options.filename, @options.line)
+        str = @temple_engine.precompiled_with_ambles(local_names)
+        eval(
+          "Proc.new { |*_haml_locals| _haml_locals = _haml_locals[0] || {}; #{str}}\n",
+          scope,
+          @options.filename,
+          @options.line
+        )
       rescue ::SyntaxError => e
         raise SyntaxError, e.message
       end

data/lib/haml/error.rb

@@ -1,32 +1,33 @@
 # frozen_string_literal: true
+
 module Haml
   # An exception raised by Haml code.
   class Error < StandardError
 
     MESSAGES = {
-      :bad_script_indent            => '"%s" is indented at wrong level: expected %d, but was at %d.',
-      :cant_run_filter              => 'Can\'t run "%s" filter; you must require its dependencies first',
-      :cant_use_tabs_and_spaces     => "Indentation can't use both tabs and spaces.",
-      :deeper_indenting             => "The line was indented %d levels deeper than the previous line.",
-      :filter_not_defined           => 'Filter "%s" is not defined.',
-      :gem_install_filter_deps      => '"%s" filter\'s %s dependency missing: try installing it or adding it to your Gemfile',
-      :illegal_element              => "Illegal element: classes and ids must have values.",
-      :illegal_nesting_content      => "Illegal nesting: nesting within a tag that already has content is illegal.",
-      :illegal_nesting_header       => "Illegal nesting: nesting within a header command is illegal.",
-      :illegal_nesting_line         => "Illegal nesting: content can't be both given on the same line as %%%s and nested within it.",
-      :illegal_nesting_plain        => "Illegal nesting: nesting within plain text is illegal.",
-      :illegal_nesting_self_closing => "Illegal nesting: nesting within a self-closing tag is illegal.",
-      :inconsistent_indentation     => "Inconsistent indentation: %s used for indentation, but the rest of the document was indented using %s.",
-      :indenting_at_start           => "Indenting at the beginning of the document is illegal.",
-      :install_haml_contrib         => 'To use the "%s" filter, please install the haml-contrib gem.',
-      :invalid_attribute_list       => 'Invalid attribute list: %s.',
-      :invalid_filter_name          => 'Invalid filter name ":%s".',
-      :invalid_tag                  => 'Invalid tag: "%s".',
-      :missing_if                   => 'Got "%s" with no preceding "if"',
-      :no_ruby_code                 => "There's no Ruby code for %s to evaluate.",
-      :self_closing_content         => "Self-closing tags can't have content.",
-      :unbalanced_brackets          => 'Unbalanced brackets.',
-      :no_end                       => <<-END
+      bad_script_indent:            '"%s" is indented at wrong level: expected %d, but was at %d.',
+      cant_run_filter:              'Can\'t run "%s" filter; you must require its dependencies first',
+      cant_use_tabs_and_spaces:     "Indentation can't use both tabs and spaces.",
+      deeper_indenting:             "The line was indented %d levels deeper than the previous line.",
+      filter_not_defined:           'Filter "%s" is not defined.',
+      gem_install_filter_deps:      '"%s" filter\'s %s dependency missing: try installing it or adding it to your Gemfile',
+      illegal_element:              "Illegal element: classes and ids must have values.",
+      illegal_nesting_content:      "Illegal nesting: nesting within a tag that already has content is illegal.",
+      illegal_nesting_header:       "Illegal nesting: nesting within a header command is illegal.",
+      illegal_nesting_line:         "Illegal nesting: content can't be both given on the same line as %%%s and nested within it.",
+      illegal_nesting_plain:        "Illegal nesting: nesting within plain text is illegal.",
+      illegal_nesting_self_closing: "Illegal nesting: nesting within a self-closing tag is illegal.",
+      inconsistent_indentation:     "Inconsistent indentation: %s used for indentation, but the rest of the document was indented using %s.",
+      indenting_at_start:           "Indenting at the beginning of the document is illegal.",
+      install_haml_contrib:         'To use the "%s" filter, please install the haml-contrib gem.',
+      invalid_attribute_list:       'Invalid attribute list: %s.',
+      invalid_filter_name:          'Invalid filter name ":%s".',
+      invalid_tag:                  'Invalid tag: "%s".',
+      missing_if:                   'Got "%s" with no preceding "if"',
+      no_ruby_code:                 "There's no Ruby code for %s to evaluate.",
+      self_closing_content:         "Self-closing tags can't have content.",
+      unbalanced_brackets:          'Unbalanced brackets.',
+      no_end:                       <<-END
 You don't need to use "- end" in Haml. Un-indent to close a block:
 - if foo?
   %strong Foo!
@@ -34,7 +35,7 @@ You don't need to use "- end" in Haml. Un-indent to close a block:
   Not foo.
 %p This line is un-indented, so it isn't part of the "if" block
 END
-    }
+    }.freeze
 
     def self.message(key, *args)
       string = MESSAGES[key] or raise "[HAML BUG] No error messages for #{key}"

data/lib/haml/escapable.rb

@@ -1,32 +1,34 @@
 # frozen_string_literal: true
+
 module Haml
   # Like Temple::Filters::Escapable, but with support for escaping by
   # Haml::Herlpers.html_escape and Haml::Herlpers.escape_once.
   class Escapable < Temple::Filter
+    # Special value of `flag` to ignore html_safe?
+    EscapeSafeBuffer = Struct.new(:value)
+
     def initialize(*)
       super
-      @escape_code = "::Haml::Helpers.html_escape((%s))"
-      @escaper = eval("proc {|v| #{@escape_code % 'v'} }")
-      @once_escape_code = "::Haml::Helpers.escape_once((%s))"
-      @once_escaper = eval("proc {|v| #{@once_escape_code % 'v'} }")
       @escape = false
+      @escape_safe_buffer = false
     end
 
     def on_escape(flag, exp)
-      old = @escape
-      @escape = flag
+      old_escape, old_escape_safe_buffer = @escape, @escape_safe_buffer
+      @escape_safe_buffer = flag.is_a?(EscapeSafeBuffer)
+      @escape = @escape_safe_buffer ? flag.value : flag
       compile(exp)
     ensure
-      @escape = old
+      @escape, @escape_safe_buffer = old_escape, old_escape_safe_buffer
     end
 
     # The same as Haml::AttributeBuilder.build_attributes
     def on_static(value)
       [:static,
        if @escape == :once
-         @once_escaper[value]
+         escape_once(value)
        elsif @escape
-         @escaper[value]
+         escape(value)
        else
          value
        end
@@ -37,13 +39,39 @@ module Haml
     def on_dynamic(value)
       [:dynamic,
        if @escape == :once
-         @once_escape_code % value
+         escape_once_code(value)
        elsif @escape
-         @escape_code % value
+         escape_code(value)
        else
          "(#{value}).to_s"
        end
       ]
     end
+
+    private
+
+    def escape_once(value)
+      if @escape_safe_buffer
+        ::Haml::Helpers.escape_once_without_haml_xss(value)
+      else
+        ::Haml::Helpers.escape_once(value)
+      end
+    end
+
+    def escape(value)
+      if @escape_safe_buffer
+        ::Haml::Helpers.html_escape_without_haml_xss(value)
+      else
+        ::Haml::Helpers.html_escape(value)
+      end
+    end
+
+    def escape_once_code(value)
+      "::Haml::Helpers.escape_once#{('_without_haml_xss' if @escape_safe_buffer)}((#{value}))"
+    end
+
+    def escape_code(value)
+      "::Haml::Helpers.html_escape#{('_without_haml_xss' if @escape_safe_buffer)}((#{value}))"
+    end
   end
 end