haml 5.0.4 → 5.2.1

data/lib/haml/exec.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'optparse'
 require 'rbconfig'
 require 'pp'
@@ -120,7 +121,7 @@ module Haml
         @options[:input], @options[:output] = input, output
       end
 
-      COLORS = { :red => 31, :green => 32, :yellow => 33 }
+      COLORS = {red: 31, green: 32, yellow: 33}.freeze
 
       # Prints a status message about performing the given action,
       # colored using the given color (via terminal escapes) if possible.
@@ -337,11 +338,9 @@ END
       end
 
       def validate_ruby(code)
-        begin
-          eval("BEGIN {return nil}; #{code}", binding, @options[:filename] || "")
-        rescue ::SyntaxError # Not to be confused with Haml::SyntaxError
-          $!
-        end
+        eval("BEGIN {return nil}; #{code}", binding, @options[:filename] || "")
+      rescue ::SyntaxError # Not to be confused with Haml::SyntaxError
+        $!
       end
     end
   end

data/lib/haml/filters.rb

@@ -1,4 +1,5 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
+
 require "tilt"
 
 module Haml
@@ -119,7 +120,7 @@ module Haml
       # @param text [String] The source text for the filter to process
       # @return [String] The filtered result
       # @raise [Haml::Error] if it's not overridden
-      def render(text)
+      def render(_text)
         raise Error.new("#{self.inspect}#render not defined!")
       end
 
@@ -130,7 +131,7 @@ module Haml
       # @param text [String] The source text for the filter to process
       # @return [String] The filtered result
       # @raise [Haml::Error] if it or \{#render} isn't overridden
-      def render_with_options(text, options)
+      def render_with_options(text, _options)
         render(text)
       end
 
@@ -164,7 +165,11 @@ module Haml
           if contains_interpolation?(text)
             return if options[:suppress_eval]
 
-            text = unescape_interpolation(text, options[:escape_html]).gsub(/(\\+)n/) do |s|
+            escape = options[:escape_filter_interpolations]
+            # `escape_filter_interpolations` defaults to `escape_html` if unset.
+            escape = options[:escape_html] if escape.nil?
+
+            text = unescape_interpolation(text, escape).gsub(/(\\+)n/) do |s|
               escapes = $1.size
               next s if escapes % 2 == 0
               "#{'\\' * (escapes - 1)}\n"
@@ -182,9 +187,8 @@ RUBY
             return
           end
 
-          rendered = Haml::Helpers::find_and_preserve(filter.render_with_options(text, compiler.options), compiler.options[:preserve])
-          rendered.rstrip!
-          push_text("#{rendered}\n")
+          rendered = Haml::Helpers::find_and_preserve(filter.render_with_options(text.to_s, compiler.options), compiler.options[:preserve])
+          push_text("#{rendered.rstrip}\n")
         end
       end
     end
@@ -247,10 +251,7 @@ RUBY
 
       # @see Base#render
       def render(text)
-        text = "\n#{text}"
-        text.rstrip!
-        text.gsub!("\n", "\n    ")
-        "<![CDATA[#{text}\n]]>"
+        "<![CDATA[#{"\n#{text.rstrip}".gsub("\n", "\n    ")}\n]]>"
       end
     end
 

data/lib/haml/generator.rb

@@ -1,4 +1,5 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
+
 module Haml
   # Ruby code generator, which is a limited version of Temple::Generator.
   # Limit methods since Haml doesn't need most of them.

data/lib/haml/helpers.rb

@@ -1,4 +1,5 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
+
 require 'erb'
 
 module Haml
@@ -109,10 +110,7 @@ MESSAGE
     #   @yield The block within which to escape newlines
     def find_and_preserve(input = nil, tags = haml_buffer.options[:preserve], &block)
       return find_and_preserve(capture_haml(&block), input || tags) if block
-      tags = tags.each_with_object('') do |t, s|
-        s << '|' unless s.empty?
-        s << Regexp.escape(t)
-      end
+      tags = tags.map { |tag| Regexp.escape(tag) }.join('|')
       re = /<(#{tags})([^>]*)>(.*?)(<\/\1>)/im
       input.to_s.gsub(re) do |s|
         s =~ re # Can't rely on $1, etc. existing since Rails' SafeBuffer#gsub is incompatible
@@ -200,8 +198,8 @@ MESSAGE
     # @yield [item] A block which contains Haml code that goes within list items
     # @yieldparam item An element of `enum`
     def list_of(enum, opts={}, &block)
-      opts_attributes = opts.each_with_object('') {|(k, v), s| s << " #{k}='#{v}'"}
-      enum.each_with_object('') do |i, ret|
+      opts_attributes = opts.map { |k, v| " #{k}='#{v}'" }.join
+      enum.map do |i|
         result = capture_haml(i, &block)
 
         if result.count("\n") > 1
@@ -211,9 +209,8 @@ MESSAGE
           result.strip!
         end
 
-        ret << "\n" unless ret.empty?
-        ret << %Q!<li#{opts_attributes}>#{result}</li>!
-      end
+        %Q!<li#{opts_attributes}>#{result}</li>!
+      end.join("\n")
     end
 
     # Returns a hash containing default assignments for the `xmlns`, `lang`, and `xml:lang`
@@ -596,7 +593,7 @@ MESSAGE
     end
 
     # Characters that need to be escaped to HTML entities from user input
-    HTML_ESCAPE = { '&' => '&amp;', '<' => '&lt;', '>' => '&gt;', '"' => '&quot;', "'" => '&#39;' }
+    HTML_ESCAPE = {'&' => '&amp;', '<' => '&lt;', '>' => '&gt;', '"' => '&quot;', "'" => '&#39;'}.freeze
 
     HTML_ESCAPE_REGEX = /['"><&]/
 
@@ -610,9 +607,12 @@ MESSAGE
     # @param text [String] The string to sanitize
     # @return [String] The sanitized string
     def html_escape(text)
-      ERB::Util.html_escape(text)
+      CGI.escapeHTML(text.to_s)
     end
 
+    # Always escape text regardless of html_safe?
+    alias_method :html_escape_without_haml_xss, :html_escape
+
     HTML_ESCAPE_ONCE_REGEX = /['"><]|&(?!(?:[a-zA-Z]+|#(?:\d+|[xX][0-9a-fA-F]+));)/
 
     # Escapes HTML entities in `text`, but without escaping an ampersand
@@ -625,6 +625,9 @@ MESSAGE
       text.gsub(HTML_ESCAPE_ONCE_REGEX, HTML_ESCAPE)
     end
 
+    # Always escape text once regardless of html_safe?
+    alias_method :escape_once_without_haml_xss, :escape_once
+
     # Returns whether or not the current template is a Haml template.
     #
     # This function, unlike other {Haml::Helpers} functions,
@@ -704,4 +707,3 @@ class Object
     false
   end
 end
-

data/lib/haml/helpers/action_view_extensions.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module Haml
   module Helpers
     @@action_view_defined = true

data/lib/haml/helpers/action_view_mods.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module Haml
   module Helpers
     module ActionViewMods
@@ -52,10 +53,12 @@ module ActionView
     end
 
     module TagHelper
+      DEFAULT_PRESERVE_OPTIONS = %w(textarea pre code).freeze
+
       def content_tag_with_haml(name, *args, &block)
         return content_tag_without_haml(name, *args, &block) unless is_haml?
 
-        preserve = haml_buffer.options.fetch(:preserve, %w[textarea pre code]).include?(name.to_s)
+        preserve = haml_buffer.options.fetch(:preserve, DEFAULT_PRESERVE_OPTIONS).include?(name.to_s)
 
         if block_given? && block_is_haml?(block) && preserve
           return content_tag_without_haml(name, *args) do

data/lib/haml/helpers/action_view_xss_mods.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ActionView
   module Helpers
     module CaptureHelper

data/lib/haml/helpers/safe_erubi_template.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'action_view'
 
 module Haml

data/lib/haml/helpers/safe_erubis_template.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'action_view'
 
 module Haml

data/lib/haml/helpers/xss_mods.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module Haml
   module Helpers
     # This module overrides Haml helpers to work properly
@@ -7,12 +8,15 @@ module Haml
     # to work with Rails' XSS protection methods.
     module XssMods
       def self.included(base)
-        %w[html_escape find_and_preserve preserve list_of surround
-           precede succeed capture_haml haml_concat haml_internal_concat haml_indent
-           escape_once].each do |name|
+        %w[find_and_preserve preserve list_of surround
+           precede succeed capture_haml haml_concat haml_internal_concat haml_indent].each do |name|
           base.send(:alias_method, "#{name}_without_haml_xss", name)
           base.send(:alias_method, name, "#{name}_with_haml_xss")
         end
+        # Those two always have _without_haml_xss
+        %w[html_escape escape_once].each do |name|
+          base.send(:alias_method, name, "#{name}_with_haml_xss")
+        end
       end
 
       # Don't escape text that's already safe,

data/lib/haml/options.rb

@@ -1,47 +1,44 @@
 # frozen_string_literal: true
+
 module Haml
   # This class encapsulates all of the configuration options that Haml
   # understands. Please see the {file:REFERENCE.md#options Haml Reference} to
   # learn how to set the options.
   class Options
-
     @valid_formats = [:html4, :html5, :xhtml]
-
     @buffer_option_keys = [:autoclose, :preserve, :attr_wrapper, :format,
-      :encoding, :escape_html, :escape_attrs, :hyphenate_data_attrs, :cdata]
+      :encoding, :escape_html, :escape_filter_interpolations, :escape_attrs, :hyphenate_data_attrs, :cdata]
 
-    # The default option values.
-    # @return Hash
-    def self.defaults
-      @defaults ||= Haml::TempleEngine.options.to_hash.merge(encoding: 'UTF-8')
-    end
+    class << self
+      # The default option values.
+      # @return Hash
+      def defaults
+        @defaults ||= Haml::TempleEngine.options.to_hash.merge(encoding: 'UTF-8')
+      end
 
-    # An array of valid values for the `:format` option.
-    # @return Array
-    def self.valid_formats
-      @valid_formats
-    end
+      # An array of valid values for the `:format` option.
+      # @return Array
+      attr_reader :valid_formats
 
-    # An array of keys that will be used to provide a hash of options to
-    # {Haml::Buffer}.
-    # @return Hash
-    def self.buffer_option_keys
-      @buffer_option_keys
-    end
+      # An array of keys that will be used to provide a hash of options to
+      # {Haml::Buffer}.
+      # @return Hash
+      attr_reader :buffer_option_keys
 
-    # Returns a subset of defaults: those that {Haml::Buffer} cares about.
-    # @return [{Symbol => Object}] The options hash
-    def self.buffer_defaults
-      @buffer_defaults ||= buffer_option_keys.inject({}) do |hash, key|
-        hash.merge(key => defaults[key])
+      # Returns a subset of defaults: those that {Haml::Buffer} cares about.
+      # @return [{Symbol => Object}] The options hash
+      def buffer_defaults
+        @buffer_defaults ||= buffer_option_keys.inject({}) do |hash, key|
+          hash.merge(key => defaults[key])
+        end
       end
-    end
 
-    def self.wrap(options)
-      if options.is_a?(Options)
-        options
-      else
-        Options.new(options)
+      def wrap(options)
+        if options.is_a?(Options)
+          options
+        else
+          Options.new(options)
+        end
       end
     end
 
@@ -85,6 +82,13 @@ module Haml
     # Defaults to false.
     attr_accessor :escape_html
 
+    # Sets whether or not to escape HTML-sensitive characters in interpolated strings.
+    # See also {file:REFERENCE.md#escaping_html Escaping HTML} and
+    # {file:REFERENCE.md#unescaping_html Unescaping HTML}.
+    #
+    # Defaults to the current value of `escape_html`.
+    attr_accessor :escape_filter_interpolations
+
     # The name of the Haml file being parsed.
     # This is only used as information when exceptions are raised. This is
     # automatically assigned when working through ActionView, so it's really
@@ -131,7 +135,7 @@ module Haml
     # formatting errors.
     #
     # Defaults to `false`.
-    attr_reader :remove_whitespace
+    attr_accessor :remove_whitespace
 
     # Whether or not attribute hashes and Ruby scripts designated by `=` or `~`
     # should be evaluated. If this is `true`, said scripts are rendered as empty
@@ -167,7 +171,7 @@ module Haml
     # Key is filter name in String and value is Class to use. Defaults to {}.
     attr_accessor :filters
 
-    def initialize(values = {}, &block)
+    def initialize(values = {})
       defaults.each {|k, v| instance_variable_set :"@#{k}", v}
       values.each {|k, v| send("#{k}=", v) if defaults.has_key?(k) && !v.nil?}
       yield if block_given?
@@ -237,10 +241,6 @@ module Haml
       xhtml? || @cdata
     end
 
-    def remove_whitespace=(value)
-      @remove_whitespace = value
-    end
-
     def encoding=(value)
       return unless value
       @encoding = value.is_a?(Encoding) ? value.name : value.to_s

data/lib/haml/parser.rb

@@ -1,4 +1,6 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
+
+require 'ripper'
 require 'strscan'
 
 module Haml
@@ -60,7 +62,7 @@ module Haml
       SILENT_SCRIPT,
       ESCAPE,
       FILTER
-    ]
+    ].freeze
 
     # The value of the character that designates that a line is part
     # of a multiline string.
@@ -74,8 +76,8 @@ module Haml
     #
     BLOCK_WITH_SPACES = /do\s*\|\s*[^\|]*\s+\|\z/
 
-    MID_BLOCK_KEYWORDS = %w[else elsif rescue ensure end when]
-    START_BLOCK_KEYWORDS = %w[if begin case unless]
+    MID_BLOCK_KEYWORDS = %w[else elsif rescue ensure end when].freeze
+    START_BLOCK_KEYWORDS = %w[if begin case unless].freeze
     # Try to parse assignments to block starters as best as possible
     START_BLOCK_KEYWORD_REGEX = /(?:\w+(?:,\s*\w+)*\s*=\s*)?(#{START_BLOCK_KEYWORDS.join('|')})/
     BLOCK_KEYWORD_REGEX = /^-?\s*(?:(#{MID_BLOCK_KEYWORDS.join('|')})|#{START_BLOCK_KEYWORD_REGEX.source})\b/
@@ -89,6 +91,9 @@ module Haml
     ID_KEY    = 'id'.freeze
     CLASS_KEY = 'class'.freeze
 
+    # Used for scanning old attributes, substituting the first '{'
+    METHOD_CALL_PREFIX = 'a('
+
     def initialize(options)
       @options = Options.wrap(options)
       # Record the indent levels of "if" statements to validate the subsequent
@@ -178,7 +183,7 @@ module Haml
     private
 
     # @private
-    class Line < Struct.new(:whitespace, :text, :full, :index, :parser, :eod)
+    Line = Struct.new(:whitespace, :text, :full, :index, :parser, :eod) do
       alias_method :eod?, :eod
 
       # @private
@@ -194,25 +199,26 @@ module Haml
     end
 
     # @private
-    class ParseNode < Struct.new(:type, :line, :value, :parent, :children)
+    ParseNode = Struct.new(:type, :line, :value, :parent, :children) do
       def initialize(*args)
         super
         self.children ||= []
       end
 
       def inspect
-        %Q[(#{type} #{value.inspect}#{children.each_with_object('') {|c, s| s << "\n#{c.inspect.gsub!(/^/, '  ')}"}})]
+        %Q[(#{type} #{value.inspect}#{children.each_with_object(''.dup) {|c, s| s << "\n#{c.inspect.gsub!(/^/, '  ')}"}})].dup
       end
     end
 
     # @param [String] new - Hash literal including dynamic values.
     # @param [String] old - Hash literal including dynamic values or Ruby literal of multiple Hashes which MUST be interpreted as method's last arguments.
-    class DynamicAttributes < Struct.new(:new, :old)
+    DynamicAttributes = Struct.new(:new, :old) do
+      undef :old=
       def old=(value)
         unless value =~ /\A{.*}\z/m
           raise ArgumentError.new('Old attributes must start with "{" and end with "}"')
         end
-        super
+        self[:old] = value
       end
 
       # This will be a literal for Haml::Buffer#attributes's last argument, `attributes_hashes`.
@@ -287,7 +293,7 @@ module Haml
     end
 
     def block_keyword(text)
-      return unless keyword = text.scan(BLOCK_KEYWORD_REGEX)[0]
+      return unless (keyword = text.scan(BLOCK_KEYWORD_REGEX)[0])
       keyword[0] || keyword[1]
     end
 
@@ -305,7 +311,7 @@ module Haml
         return ParseNode.new(:plain, line.index + 1, :text => line.text)
       end
 
-      escape_html = @options.escape_html if escape_html.nil?
+      escape_html = @options.escape_html && @options.mime_type != 'text/plain' if escape_html.nil?
       line.text = unescape_interpolation(line.text, escape_html)
       script(line, false)
     end
@@ -534,7 +540,7 @@ module Haml
 
       # Post-process case statements to normalize the nesting of "when" clauses
       return unless node.value[:keyword] == "case"
-      return unless first = node.children.first
+      return unless (first = node.children.first)
       return unless first.type == :silent_script && first.value[:keyword] == "when"
       return if first.children.empty?
       # If the case node has a "when" child with children, it's the
@@ -583,9 +589,9 @@ module Haml
       scanner = StringScanner.new(text)
       scanner.scan(/\s+/)
       until scanner.eos?
-        return unless key = scanner.scan(LITERAL_VALUE_REGEX)
+        return unless (key = scanner.scan(LITERAL_VALUE_REGEX))
         return unless scanner.scan(/\s*=>\s*/)
-        return unless value = scanner.scan(LITERAL_VALUE_REGEX)
+        return unless (value = scanner.scan(LITERAL_VALUE_REGEX))
         return unless scanner.scan(/\s*(?:,|$)\s*/)
         attributes[eval(key).to_s] = eval(value).to_s
       end
@@ -649,13 +655,18 @@ module Haml
     # @return [String] rest
     # @return [Integer] last_line
     def parse_old_attributes(text)
-      text = text.dup
       last_line = @line.index + 1
 
       begin
-        attributes_hash, rest = balance(text, ?{, ?})
+        # Old attributes often look like a valid Hash literal, but it sometimes allow code like
+        # `{ hash, foo: bar }`, which is compiled to `_hamlout.attributes({}, nil, hash, foo: bar)`.
+        #
+        # To scan such code correctly, this scans `a( hash, foo: bar }` instead, stops when there is
+        # 1 more :on_embexpr_end (the last '}') than :on_embexpr_beg, and resurrects '{' afterwards.
+        balanced, rest = balance_tokens(text.sub(?{, METHOD_CALL_PREFIX), :on_embexpr_beg, :on_embexpr_end, count: 1)
+        attributes_hash = balanced.sub(METHOD_CALL_PREFIX, ?{)
       rescue SyntaxError => e
-        if text.strip[-1] == ?, && e.message == Error.message(:unbalanced_brackets)
+        if e.message == Error.message(:unbalanced_brackets) && !@template.empty?
           text << "\n#{@next_line.text}"
           last_line += 1
           next_line
@@ -698,7 +709,7 @@ module Haml
       end
 
       static_attributes = {}
-      dynamic_attributes = "{"
+      dynamic_attributes = "{".dup
       attributes.each do |name, (type, val)|
         if type == :static
           static_attributes[name] = val
@@ -713,7 +724,7 @@ module Haml
     end
 
     def parse_new_attribute(scanner)
-      unless name = scanner.scan(/[-:\w]+/)
+      unless (name = scanner.scan(/[-:\w]+/))
         return if scanner.scan(/\)/)
         return false
       end
@@ -722,8 +733,8 @@ module Haml
       return name, [:static, true] unless scanner.scan(/=/) #/end
 
       scanner.scan(/\s*/)
-      unless quote = scanner.scan(/["']/)
-        return false unless var = scanner.scan(/(@@?|\$)?\w+/)
+      unless (quote = scanner.scan(/["']/))
+        return false unless (var = scanner.scan(/(@@?|\$)?\w+/))
         return name, [:dynamic, var]
       end
 
@@ -738,7 +749,7 @@ module Haml
 
       return name, [:static, content.first[1]] if content.size == 1
       return name, [:dynamic,
-        %!"#{content.each_with_object('') {|(t, v), s| s << (t == :str ? inspect_obj(v)[1...-1] : "\#{#{v}}")}}"!]
+        %!"#{content.each_with_object(''.dup) {|(t, v), s| s << (t == :str ? inspect_obj(v)[1...-1] : "\#{#{v}}")}}"!]
     end
 
     def next_line
@@ -809,6 +820,25 @@ module Haml
       Haml::Util.balance(*args) or raise(SyntaxError.new(Error.message(:unbalanced_brackets)))
     end
 
+    # Unlike #balance, this balances Ripper tokens to balance something like `{ a: "}" }` correctly.
+    def balance_tokens(buf, start, finish, count: 0)
+      text = ''.dup
+      Ripper.lex(buf).each do |_, token, str|
+        text << str
+        case token
+        when start
+          count += 1
+        when finish
+          count -= 1
+        end
+
+        if count == 0
+          return text, buf.sub(text, '')
+        end
+      end
+      raise SyntaxError.new(Error.message(:unbalanced_brackets))
+    end
+
     def block_opened?
       @next_line.tabs > @line.tabs
     end