haml 5.0.4 → 5.2.2

data/lib/haml/helpers/xss_mods.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module Haml
   module Helpers
     # This module overrides Haml helpers to work properly
@@ -7,12 +8,15 @@ module Haml
     # to work with Rails' XSS protection methods.
     module XssMods
       def self.included(base)
-        %w[html_escape find_and_preserve preserve list_of surround
-           precede succeed capture_haml haml_concat haml_internal_concat haml_indent
-           escape_once].each do |name|
+        %w[find_and_preserve preserve list_of surround
+           precede succeed capture_haml haml_concat haml_internal_concat haml_indent].each do |name|
           base.send(:alias_method, "#{name}_without_haml_xss", name)
           base.send(:alias_method, name, "#{name}_with_haml_xss")
         end
+        # Those two always have _without_haml_xss
+        %w[html_escape escape_once].each do |name|
+          base.send(:alias_method, name, "#{name}_with_haml_xss")
+        end
       end
 
       # Don't escape text that's already safe,

data/lib/haml/helpers.rb

@@ -1,4 +1,5 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
+
 require 'erb'
 
 module Haml
@@ -109,10 +110,7 @@ MESSAGE
     #   @yield The block within which to escape newlines
     def find_and_preserve(input = nil, tags = haml_buffer.options[:preserve], &block)
       return find_and_preserve(capture_haml(&block), input || tags) if block
-      tags = tags.each_with_object('') do |t, s|
-        s << '|' unless s.empty?
-        s << Regexp.escape(t)
-      end
+      tags = tags.map { |tag| Regexp.escape(tag) }.join('|')
       re = /<(#{tags})([^>]*)>(.*?)(<\/\1>)/im
       input.to_s.gsub(re) do |s|
         s =~ re # Can't rely on $1, etc. existing since Rails' SafeBuffer#gsub is incompatible
@@ -200,8 +198,8 @@ MESSAGE
     # @yield [item] A block which contains Haml code that goes within list items
     # @yieldparam item An element of `enum`
     def list_of(enum, opts={}, &block)
-      opts_attributes = opts.each_with_object('') {|(k, v), s| s << " #{k}='#{v}'"}
-      enum.each_with_object('') do |i, ret|
+      opts_attributes = opts.map { |k, v| " #{k}='#{v}'" }.join
+      enum.map do |i|
         result = capture_haml(i, &block)
 
         if result.count("\n") > 1
@@ -211,9 +209,8 @@ MESSAGE
           result.strip!
         end
 
-        ret << "\n" unless ret.empty?
-        ret << %Q!<li#{opts_attributes}>#{result}</li>!
-      end
+        %Q!<li#{opts_attributes}>#{result}</li>!
+      end.join("\n")
     end
 
     # Returns a hash containing default assignments for the `xmlns`, `lang`, and `xml:lang`
@@ -596,7 +593,7 @@ MESSAGE
     end
 
     # Characters that need to be escaped to HTML entities from user input
-    HTML_ESCAPE = { '&' => '&amp;', '<' => '&lt;', '>' => '&gt;', '"' => '&quot;', "'" => '&#39;' }
+    HTML_ESCAPE = {'&' => '&amp;', '<' => '&lt;', '>' => '&gt;', '"' => '&quot;', "'" => '&#39;'}.freeze
 
     HTML_ESCAPE_REGEX = /['"><&]/
 
@@ -610,9 +607,12 @@ MESSAGE
     # @param text [String] The string to sanitize
     # @return [String] The sanitized string
     def html_escape(text)
-      ERB::Util.html_escape(text)
+      CGI.escapeHTML(text.to_s)
     end
 
+    # Always escape text regardless of html_safe?
+    alias_method :html_escape_without_haml_xss, :html_escape
+
     HTML_ESCAPE_ONCE_REGEX = /['"><]|&(?!(?:[a-zA-Z]+|#(?:\d+|[xX][0-9a-fA-F]+));)/
 
     # Escapes HTML entities in `text`, but without escaping an ampersand
@@ -625,6 +625,9 @@ MESSAGE
       text.gsub(HTML_ESCAPE_ONCE_REGEX, HTML_ESCAPE)
     end
 
+    # Always escape text once regardless of html_safe?
+    alias_method :escape_once_without_haml_xss, :escape_once
+
     # Returns whether or not the current template is a Haml template.
     #
     # This function, unlike other {Haml::Helpers} functions,
@@ -704,4 +707,3 @@ class Object
     false
   end
 end
-

data/lib/haml/options.rb

@@ -1,47 +1,44 @@
 # frozen_string_literal: true
+
 module Haml
   # This class encapsulates all of the configuration options that Haml
   # understands. Please see the {file:REFERENCE.md#options Haml Reference} to
   # learn how to set the options.
   class Options
-
     @valid_formats = [:html4, :html5, :xhtml]
-
     @buffer_option_keys = [:autoclose, :preserve, :attr_wrapper, :format,
-      :encoding, :escape_html, :escape_attrs, :hyphenate_data_attrs, :cdata]
+      :encoding, :escape_html, :escape_filter_interpolations, :escape_attrs, :hyphenate_data_attrs, :cdata]
 
-    # The default option values.
-    # @return Hash
-    def self.defaults
-      @defaults ||= Haml::TempleEngine.options.to_hash.merge(encoding: 'UTF-8')
-    end
+    class << self
+      # The default option values.
+      # @return Hash
+      def defaults
+        @defaults ||= Haml::TempleEngine.options.to_hash.merge(encoding: 'UTF-8')
+      end
 
-    # An array of valid values for the `:format` option.
-    # @return Array
-    def self.valid_formats
-      @valid_formats
-    end
+      # An array of valid values for the `:format` option.
+      # @return Array
+      attr_reader :valid_formats
 
-    # An array of keys that will be used to provide a hash of options to
-    # {Haml::Buffer}.
-    # @return Hash
-    def self.buffer_option_keys
-      @buffer_option_keys
-    end
+      # An array of keys that will be used to provide a hash of options to
+      # {Haml::Buffer}.
+      # @return Hash
+      attr_reader :buffer_option_keys
 
-    # Returns a subset of defaults: those that {Haml::Buffer} cares about.
-    # @return [{Symbol => Object}] The options hash
-    def self.buffer_defaults
-      @buffer_defaults ||= buffer_option_keys.inject({}) do |hash, key|
-        hash.merge(key => defaults[key])
+      # Returns a subset of defaults: those that {Haml::Buffer} cares about.
+      # @return [{Symbol => Object}] The options hash
+      def buffer_defaults
+        @buffer_defaults ||= buffer_option_keys.inject({}) do |hash, key|
+          hash.merge(key => defaults[key])
+        end
       end
-    end
 
-    def self.wrap(options)
-      if options.is_a?(Options)
-        options
-      else
-        Options.new(options)
+      def wrap(options)
+        if options.is_a?(Options)
+          options
+        else
+          Options.new(options)
+        end
       end
     end
 
@@ -85,6 +82,13 @@ module Haml
     # Defaults to false.
     attr_accessor :escape_html
 
+    # Sets whether or not to escape HTML-sensitive characters in interpolated strings.
+    # See also {file:REFERENCE.md#escaping_html Escaping HTML} and
+    # {file:REFERENCE.md#unescaping_html Unescaping HTML}.
+    #
+    # Defaults to the current value of `escape_html`.
+    attr_accessor :escape_filter_interpolations
+
     # The name of the Haml file being parsed.
     # This is only used as information when exceptions are raised. This is
     # automatically assigned when working through ActionView, so it's really
@@ -131,7 +135,7 @@ module Haml
     # formatting errors.
     #
     # Defaults to `false`.
-    attr_reader :remove_whitespace
+    attr_accessor :remove_whitespace
 
     # Whether or not attribute hashes and Ruby scripts designated by `=` or `~`
     # should be evaluated. If this is `true`, said scripts are rendered as empty
@@ -167,7 +171,7 @@ module Haml
     # Key is filter name in String and value is Class to use. Defaults to {}.
     attr_accessor :filters
 
-    def initialize(values = {}, &block)
+    def initialize(values = {})
       defaults.each {|k, v| instance_variable_set :"@#{k}", v}
       values.each {|k, v| send("#{k}=", v) if defaults.has_key?(k) && !v.nil?}
       yield if block_given?
@@ -237,10 +241,6 @@ module Haml
       xhtml? || @cdata
     end
 
-    def remove_whitespace=(value)
-      @remove_whitespace = value
-    end
-
     def encoding=(value)
       return unless value
       @encoding = value.is_a?(Encoding) ? value.name : value.to_s

data/lib/haml/parser.rb

@@ -1,4 +1,6 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
+
+require 'ripper'
 require 'strscan'
 
 module Haml
@@ -60,7 +62,7 @@ module Haml
       SILENT_SCRIPT,
       ESCAPE,
       FILTER
-    ]
+    ].freeze
 
     # The value of the character that designates that a line is part
     # of a multiline string.
@@ -74,8 +76,8 @@ module Haml
     #
     BLOCK_WITH_SPACES = /do\s*\|\s*[^\|]*\s+\|\z/
 
-    MID_BLOCK_KEYWORDS = %w[else elsif rescue ensure end when]
-    START_BLOCK_KEYWORDS = %w[if begin case unless]
+    MID_BLOCK_KEYWORDS = %w[else elsif rescue ensure end when].freeze
+    START_BLOCK_KEYWORDS = %w[if begin case unless].freeze
     # Try to parse assignments to block starters as best as possible
     START_BLOCK_KEYWORD_REGEX = /(?:\w+(?:,\s*\w+)*\s*=\s*)?(#{START_BLOCK_KEYWORDS.join('|')})/
     BLOCK_KEYWORD_REGEX = /^-?\s*(?:(#{MID_BLOCK_KEYWORDS.join('|')})|#{START_BLOCK_KEYWORD_REGEX.source})\b/
@@ -89,6 +91,9 @@ module Haml
     ID_KEY    = 'id'.freeze
     CLASS_KEY = 'class'.freeze
 
+    # Used for scanning old attributes, substituting the first '{'
+    METHOD_CALL_PREFIX = 'a('
+
     def initialize(options)
       @options = Options.wrap(options)
       # Record the indent levels of "if" statements to validate the subsequent
@@ -178,7 +183,7 @@ module Haml
     private
 
     # @private
-    class Line < Struct.new(:whitespace, :text, :full, :index, :parser, :eod)
+    Line = Struct.new(:whitespace, :text, :full, :index, :parser, :eod) do
       alias_method :eod?, :eod
 
       # @private
@@ -194,25 +199,26 @@ module Haml
     end
 
     # @private
-    class ParseNode < Struct.new(:type, :line, :value, :parent, :children)
+    ParseNode = Struct.new(:type, :line, :value, :parent, :children) do
       def initialize(*args)
         super
         self.children ||= []
       end
 
       def inspect
-        %Q[(#{type} #{value.inspect}#{children.each_with_object('') {|c, s| s << "\n#{c.inspect.gsub!(/^/, '  ')}"}})]
+        %Q[(#{type} #{value.inspect}#{children.each_with_object(''.dup) {|c, s| s << "\n#{c.inspect.gsub!(/^/, '  ')}"}})].dup
       end
     end
 
     # @param [String] new - Hash literal including dynamic values.
     # @param [String] old - Hash literal including dynamic values or Ruby literal of multiple Hashes which MUST be interpreted as method's last arguments.
-    class DynamicAttributes < Struct.new(:new, :old)
+    DynamicAttributes = Struct.new(:new, :old) do
+      undef :old=
       def old=(value)
         unless value =~ /\A{.*}\z/m
           raise ArgumentError.new('Old attributes must start with "{" and end with "}"')
         end
-        super
+        self[:old] = value
       end
 
       # This will be a literal for Haml::Buffer#attributes's last argument, `attributes_hashes`.
@@ -287,7 +293,7 @@ module Haml
     end
 
     def block_keyword(text)
-      return unless keyword = text.scan(BLOCK_KEYWORD_REGEX)[0]
+      return unless (keyword = text.scan(BLOCK_KEYWORD_REGEX)[0])
       keyword[0] || keyword[1]
     end
 
@@ -305,7 +311,7 @@ module Haml
         return ParseNode.new(:plain, line.index + 1, :text => line.text)
       end
 
-      escape_html = @options.escape_html if escape_html.nil?
+      escape_html = @options.escape_html && @options.mime_type != 'text/plain' if escape_html.nil?
       line.text = unescape_interpolation(line.text, escape_html)
       script(line, false)
     end
@@ -534,7 +540,7 @@ module Haml
 
       # Post-process case statements to normalize the nesting of "when" clauses
       return unless node.value[:keyword] == "case"
-      return unless first = node.children.first
+      return unless (first = node.children.first)
       return unless first.type == :silent_script && first.value[:keyword] == "when"
       return if first.children.empty?
       # If the case node has a "when" child with children, it's the
@@ -583,9 +589,9 @@ module Haml
       scanner = StringScanner.new(text)
       scanner.scan(/\s+/)
       until scanner.eos?
-        return unless key = scanner.scan(LITERAL_VALUE_REGEX)
+        return unless (key = scanner.scan(LITERAL_VALUE_REGEX))
         return unless scanner.scan(/\s*=>\s*/)
-        return unless value = scanner.scan(LITERAL_VALUE_REGEX)
+        return unless (value = scanner.scan(LITERAL_VALUE_REGEX))
         return unless scanner.scan(/\s*(?:,|$)\s*/)
         attributes[eval(key).to_s] = eval(value).to_s
       end
@@ -649,13 +655,18 @@ module Haml
     # @return [String] rest
     # @return [Integer] last_line
     def parse_old_attributes(text)
-      text = text.dup
       last_line = @line.index + 1
 
       begin
-        attributes_hash, rest = balance(text, ?{, ?})
+        # Old attributes often look like a valid Hash literal, but it sometimes allow code like
+        # `{ hash, foo: bar }`, which is compiled to `_hamlout.attributes({}, nil, hash, foo: bar)`.
+        #
+        # To scan such code correctly, this scans `a( hash, foo: bar }` instead, stops when there is
+        # 1 more :on_embexpr_end (the last '}') than :on_embexpr_beg, and resurrects '{' afterwards.
+        balanced, rest = balance_tokens(text.sub(?{, METHOD_CALL_PREFIX), :on_embexpr_beg, :on_embexpr_end, count: 1)
+        attributes_hash = balanced.sub(METHOD_CALL_PREFIX, ?{)
       rescue SyntaxError => e
-        if text.strip[-1] == ?, && e.message == Error.message(:unbalanced_brackets)
+        if e.message == Error.message(:unbalanced_brackets) && !@template.empty?
           text << "\n#{@next_line.text}"
           last_line += 1
           next_line
@@ -698,7 +709,7 @@ module Haml
       end
 
       static_attributes = {}
-      dynamic_attributes = "{"
+      dynamic_attributes = "{".dup
       attributes.each do |name, (type, val)|
         if type == :static
           static_attributes[name] = val
@@ -713,7 +724,7 @@ module Haml
     end
 
     def parse_new_attribute(scanner)
-      unless name = scanner.scan(/[-:\w]+/)
+      unless (name = scanner.scan(/[-:\w]+/))
         return if scanner.scan(/\)/)
         return false
       end
@@ -722,8 +733,8 @@ module Haml
       return name, [:static, true] unless scanner.scan(/=/) #/end
 
       scanner.scan(/\s*/)
-      unless quote = scanner.scan(/["']/)
-        return false unless var = scanner.scan(/(@@?|\$)?\w+/)
+      unless (quote = scanner.scan(/["']/))
+        return false unless (var = scanner.scan(/(@@?|\$)?\w+/))
         return name, [:dynamic, var]
       end
 
@@ -738,7 +749,7 @@ module Haml
 
       return name, [:static, content.first[1]] if content.size == 1
       return name, [:dynamic,
-        %!"#{content.each_with_object('') {|(t, v), s| s << (t == :str ? inspect_obj(v)[1...-1] : "\#{#{v}}")}}"!]
+        %!"#{content.each_with_object(''.dup) {|(t, v), s| s << (t == :str ? inspect_obj(v)[1...-1] : "\#{#{v}}")}}"!]
     end
 
     def next_line
@@ -809,6 +820,25 @@ module Haml
       Haml::Util.balance(*args) or raise(SyntaxError.new(Error.message(:unbalanced_brackets)))
     end
 
+    # Unlike #balance, this balances Ripper tokens to balance something like `{ a: "}" }` correctly.
+    def balance_tokens(buf, start, finish, count: 0)
+      text = ''.dup
+      Ripper.lex(buf).each do |_, token, str|
+        text << str
+        case token
+        when start
+          count += 1
+        when finish
+          count -= 1
+        end
+
+        if count == 0
+          return text, buf.sub(text, '')
+        end
+      end
+      raise SyntaxError.new(Error.message(:unbalanced_brackets))
+    end
+
     def block_opened?
       @next_line.tabs > @line.tabs
     end

data/lib/haml/plugin.rb

@@ -1,11 +1,17 @@
 # frozen_string_literal: true
+
 module Haml
 
   # This module makes Haml work with Rails using the template handler API.
   class Plugin
+    class << self
+      attr_accessor :annotate_rendered_view_with_filenames
+    end
+    self.annotate_rendered_view_with_filenames = false
+
     def handles_encoding?; true; end
 
-    def compile(template)
+    def compile(template, source)
       options = Haml::Template.options.dup
       if template.respond_to?(:type)
         options[:mime_type] = template.type
@@ -13,14 +19,28 @@ module Haml
         options[:mime_type] = template.mime_type
       end
       options[:filename] = template.identifier
-      Haml::Engine.new(template.source, options).compiler.precompiled_with_ambles(
+
+      preamble = '@output_buffer = output_buffer ||= ActionView::OutputBuffer.new if defined?(ActionView::OutputBuffer);'
+      postamble = ''
+
+      if self.class.annotate_rendered_view_with_filenames
+        # short_identifier is only available in Rails 6+. On older versions, 'inspect' gives similar results.
+        ident = template.respond_to?(:short_identifier) ? template.short_identifier : template.inspect
+        preamble += "haml_concat '<!-- BEGIN #{ident} -->'.html_safe;"
+        postamble += "haml_concat '<!-- END #{ident} -->'.html_safe;"
+      end
+
+      Haml::Engine.new(source, options).compiler.precompiled_with_ambles(
         [],
-        after_preamble: '@output_buffer = output_buffer ||= ActionView::OutputBuffer.new if defined?(ActionView::OutputBuffer)',
+        after_preamble: preamble,
+        before_postamble: postamble
       )
     end
 
-    def self.call(template)
-      new.compile(template)
+    def self.call(template, source = nil)
+      source ||= template.source
+
+      new.compile(template, source)
     end
 
     def cache_fragment(block, name = {}, options = nil)

data/lib/haml/railtie.rb

@@ -1,10 +1,11 @@
 # frozen_string_literal: true
+
 require 'haml/template/options'
 
 # check for a compatible Rails version when Haml is loaded
 if (activesupport_spec = Gem.loaded_specs['activesupport'])
-  if activesupport_spec.version.to_s < '3.2'
-    raise Exception.new("\n\n** Haml now requires Rails 3.2 and later. Use Haml version 4.0.4\n\n")
+  if activesupport_spec.version.to_s < '4.0'
+    raise Exception.new("\n\n** Haml now requires Rails 4.0 and later. Use Haml version 4.0.x\n\n")
   end
 end
 
@@ -33,8 +34,7 @@ module Haml
         # solved by looking for ::Erubi first.
         # However, in JRuby, the const_defined? finds it anyway, so we must make sure that it's
         # not just a reference to ::Erubi.
-        if defined?(::Erubi) && const_defined?('ActionView::Template::Handlers::ERB::Erubi') &&
-            ActionView::Template::Handlers::ERB::Erubi != ::Erubi
+        if defined?(::Erubi) && (::ActionView::Template::Handlers::ERB.const_get('Erubi') != ::Erubi)
           require "haml/helpers/safe_erubi_template"
           Haml::Filters::RailsErb.template_class = Haml::SafeErubiTemplate
         else
@@ -42,6 +42,11 @@ module Haml
           Haml::Filters::RailsErb.template_class = Haml::SafeErubisTemplate
         end
         Haml::Template.options[:filters] = { 'erb' => Haml::Filters::RailsErb }
+
+        if app.config.respond_to?(:action_view) &&
+           app.config.action_view.annotate_rendered_view_with_filenames
+          Haml::Plugin.annotate_rendered_view_with_filenames = true
+        end
       end
     end
   end

data/lib/haml/sass_rails_filter.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module Haml
   module Filters
     # This is an extension of Sass::Rails's SassTemplate class that allows

data/lib/haml/template/options.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 # We keep options in its own self-contained file
 # so that we can load it independently in Rails 3,
 # where the full template stuff is lazy-loaded.

data/lib/haml/template.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'haml/template/options'
 if defined?(ActiveSupport)
   ActiveSupport.on_load(:action_view) do

data/lib/haml/temple_engine.rb

@@ -1,4 +1,5 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
+
 require 'temple'
 require 'haml/escapable'
 require 'haml/generator'
@@ -13,6 +14,7 @@ module Haml
       encoding:             nil,
       escape_attrs:         true,
       escape_html:          false,
+      escape_filter_interpolations: nil,
       filename:             '(haml)',
       format:               :html5,
       hyphenate_data_attrs: true,
@@ -49,12 +51,12 @@ module Haml
     # @return [String]
     def precompiled
       encoding = Encoding.find(@encoding || '')
-      return @precompiled.force_encoding(encoding) if encoding == Encoding::ASCII_8BIT
+      return @precompiled.dup.force_encoding(encoding) if encoding == Encoding::ASCII_8BIT
       return @precompiled.encode(encoding)
     end
 
     def precompiled_with_return_value
-      "#{precompiled};#{precompiled_method_return_value}"
+      "#{precompiled};#{precompiled_method_return_value}".dup
     end
 
     # The source code that is evaluated to produce the Haml document.
@@ -63,21 +65,22 @@ module Haml
     # (see {file:REFERENCE.md#encodings the `:encoding` option}).
     #
     # @return [String]
-    def precompiled_with_ambles(local_names, after_preamble: '')
-      preamble = <<END.tr!("\n", ';')
+    def precompiled_with_ambles(local_names, after_preamble: '', before_postamble: '')
+      preamble = <<END.tr("\n", ';')
 begin
 extend Haml::Helpers
 _hamlout = @haml_buffer = Haml::Buffer.new(haml_buffer, #{Options.new(options).for_buffer.inspect})
 _erbout = _hamlout.buffer
 #{after_preamble}
 END
-      postamble = <<END.tr!("\n", ';')
+      postamble = <<END.tr("\n", ';')
+#{before_postamble}
 #{precompiled_method_return_value}
 ensure
 @haml_buffer = @haml_buffer.upper if @haml_buffer
 end
 END
-      "#{preamble}#{locals_code(local_names)}#{precompiled}#{postamble}"
+      "#{preamble}#{locals_code(local_names)}#{precompiled}#{postamble}".dup
     end
 
     private
@@ -99,12 +102,12 @@ END
     def locals_code(names)
       names = names.keys if Hash === names
 
-      names.each_with_object('') do |name, code|
+      names.map do |name|
         # Can't use || because someone might explicitly pass in false with a symbol
         sym_local = "_haml_locals[#{inspect_obj(name.to_sym)}]"
         str_local = "_haml_locals[#{inspect_obj(name.to_s)}]"
-        code << "#{name} = #{sym_local}.nil? ? #{str_local} : #{sym_local};"
-      end
+        "#{name} = #{sym_local}.nil? ? #{str_local} : #{sym_local};"
+      end.join
     end
 
     def inspect_obj(obj)

data/lib/haml/temple_line_counter.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module Haml
   # A module to count lines of expected code. This would be faster than actual code generation
   # and counting newlines in it.

data/lib/haml/util.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 
 begin
   require 'erubis/tiny'
@@ -166,7 +166,7 @@ MSG
     #   and the rest of the string.
     #   `["Foo (Bar (Baz bang) bop)", " (Bang (bop bip))"]` in the example above.
     def balance(scanner, start, finish, count = 0)
-      str = ''
+      str = ''.dup
       scanner = StringScanner.new(scanner) unless scanner.is_a? StringScanner
       regexp = Regexp.new("(.*?)[\\#{start.chr}\\#{finish.chr}]", Regexp::MULTILINE)
       while scanner.scan(regexp)
@@ -199,7 +199,7 @@ MSG
     end
 
     def unescape_interpolation(str, escape_html = nil)
-      res = ''
+      res = ''.dup
       rest = Haml::Util.handle_interpolation str.dump do |scan|
         escapes = (scan[2].size - 1) / 2
         char = scan[3] # '{', '@' or '$'
@@ -212,8 +212,8 @@ MSG
           else
             scan.scan(/\w+/)
           end
-          content = eval('"' + interpolated + '"')
-          content.prepend(char) if char == '@' || char == '$'
+          content = eval("\"#{interpolated}\"")
+          content = "#{char}#{content}" if char == '@' || char == '$'
           content = "Haml::Helpers.html_escape((#{content}))" if escape_html
 
           res << "\#{#{content}}"
@@ -234,7 +234,7 @@ MSG
       scanner = StringScanner.new(str.dup.force_encoding(Encoding::ASCII_8BIT))
       bom = scanner.scan(/\xEF\xBB\xBF/n)
       return bom unless scanner.scan(/-\s*#\s*/n)
-      if coding = try_parse_haml_emacs_magic_comment(scanner)
+      if (coding = try_parse_haml_emacs_magic_comment(scanner))
         return bom, coding
       end
 

data/lib/haml/version.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module Haml
-  VERSION = "5.0.4"
+  VERSION = "5.2.2"
 end

data/lib/haml.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'haml/version'
 
 # The module that contains everything Haml-related: