haml 2.2.19 → 2.2.20

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of haml might be problematic. Click here for more details.

Files changed (14) hide show
  1. data/VERSION +1 -1
  2. data/extra/haml-mode.el +5 -5
  3. data/extra/sass-mode.el +2 -2
  4. data/lib/haml/helpers.rb +4 -4
  5. data/lib/haml/helpers/action_view_extensions.rb +2 -2
  6. data/lib/haml/helpers/action_view_mods.rb +1 -1
  7. data/lib/haml/helpers/xss_mods.rb +16 -8
  8. data/lib/haml/template.rb +2 -1
  9. data/lib/haml/template/plugin.rb +5 -2
  10. data/lib/sass/files.rb +1 -1
  11. data/lib/sass/plugin/rack.rb +2 -2
  12. data/lib/sass/plugin/rails.rb +2 -1
  13. data/test/haml/template_test.rb +33 -0
  14. metadata +2 -2
data/VERSION CHANGED
@@ -1 +1 @@
1
- 2.2.19
1
+ 2.2.20
data/extra/haml-mode.el CHANGED
@@ -4,7 +4,7 @@
4
4
 
5
5
  ;; Author: Nathan Weizenbaum
6
6
  ;; URL: http://github.com/nex3/haml/tree/master
7
- ;; Version: 2.2.18
7
+ ;; Version: 2.2.20
8
8
  ;; Created: 2007-03-08
9
9
  ;; By: Nathan Weizenbaum
10
10
  ;; Keywords: markup, language, html
@@ -26,10 +26,10 @@
26
26
  (require 'ruby-mode)
27
27
 
28
28
  ;; Additional (optional) libraries for fontification
29
- (require 'css-mode nil nil)
30
- (require 'textile-mode nil nil)
31
- (require 'markdown-mode nil nil)
32
- (require 'javascript-mode "javascript" nil)
29
+ (require 'css-mode nil t)
30
+ (require 'textile-mode nil t)
31
+ (require 'markdown-mode nil t)
32
+ (require 'javascript-mode "javascript" t)
33
33
 
34
34
 
35
35
  ;; User definable variables
data/extra/sass-mode.el CHANGED
@@ -4,11 +4,11 @@
4
4
 
5
5
  ;; Author: Nathan Weizenbaum
6
6
  ;; URL: http://github.com/nex3/haml/tree/master
7
- ;; Version: 2.2.18
7
+ ;; Version: 2.2.20
8
8
  ;; Created: 2007-03-15
9
9
  ;; By: Nathan Weizenbaum
10
10
  ;; Keywords: markup, language, css
11
- ;; Package-Requires: ((haml-mode "2.2.18"))
11
+ ;; Package-Requires: ((haml-mode "2.2.20"))
12
12
 
13
13
  ;;; Commentary:
14
14
 
data/lib/haml/helpers.rb CHANGED
@@ -519,12 +519,12 @@ END
519
519
  # @yield A block in which the given buffer should be used
520
520
  def with_haml_buffer(buffer)
521
521
  @haml_buffer, old_buffer = buffer, @haml_buffer
522
- old_buffer.active, was_active = false, old_buffer.active? if old_buffer
523
- @haml_buffer.active = true
522
+ old_buffer.active, old_was_active = false, old_buffer.active? if old_buffer
523
+ @haml_buffer.active, was_active = true, @haml_buffer.active?
524
524
  yield
525
525
  ensure
526
- @haml_buffer.active = false
527
- old_buffer.active = was_active if old_buffer
526
+ @haml_buffer.active = was_active
527
+ old_buffer.active = old_was_active if old_buffer
528
528
  @haml_buffer = old_buffer
529
529
  end
530
530
 
data/lib/haml/helpers/action_view_extensions.rb CHANGED
@@ -45,10 +45,10 @@ module Haml
45
45
  # @yield A block in which all input to `#haml_concat` is treated as raw.
46
46
  # @see Haml::Util#rails_xss_safe?
47
47
  def with_raw_haml_concat
48
- @_haml_concat_raw = true
48
+ @_haml_concat_raw, old = true, @_haml_concat_raw
49
49
  yield
50
50
  ensure
51
- @_haml_concat_raw = false
51
+ @_haml_concat_raw = old
52
52
  end
53
53
  end
54
54
  end
data/lib/haml/helpers/action_view_mods.rb CHANGED
@@ -125,7 +125,7 @@ module ActionView
125
125
  @template_object.send :is_haml?
126
126
  end
127
127
 
128
- unless defined?(ActionView::Helpers::ActiveRecordInstanceTag)
128
+ unless defined?(ActionView::Helpers) && defined?(ActionView::Helpers::ActiveRecordInstanceTag)
129
129
  alias_method :content_tag_without_haml, :content_tag
130
130
  alias_method :content_tag, :content_tag_with_haml
131
131
  end
data/lib/haml/helpers/xss_mods.rb CHANGED
@@ -97,28 +97,36 @@ end
97
97
 
98
98
  module ActionView
99
99
  module Helpers
100
+ module FormTagHelper
101
+ def form_tag_with_haml_xss(*args, &block)
102
+ Haml::Util.html_safe(form_tag_without_haml_xss(*args, &block))
103
+ end
104
+ alias_method :form_tag_without_haml_xss, :form_tag
105
+ alias_method :form_tag, :form_tag_with_haml_xss
106
+ end
107
+
100
108
  module TextHelper
101
- def concat_with_haml(string)
109
+ def concat_with_haml_xss(string)
102
110
  if is_haml?
103
111
  haml_buffer.buffer.concat(haml_xss_html_escape(string))
104
112
  else
105
- concat_without_haml(string)
113
+ concat_without_haml_xss(string)
106
114
  end
107
115
  end
108
- alias_method :concat_without_haml, :concat
109
- alias_method :concat, :concat_with_haml
116
+ alias_method :concat_without_haml_xss, :concat
117
+ alias_method :concat, :concat_with_haml_xss
110
118
 
111
119
  # safe_concat was introduced in Rails 3.0
112
120
  if Haml::Util.has?(:instance_method, self, :safe_concat)
113
- def safe_concat_with_haml(string)
121
+ def safe_concat_with_haml_xss(string)
114
122
  if is_haml?
115
123
  haml_buffer.buffer.concat(string)
116
124
  else
117
- safe_concat_without_haml(string)
125
+ safe_concat_without_haml_xss(string)
118
126
  end
119
127
  end
120
- alias_method :safe_concat_without_haml, :safe_concat
121
- alias_method :safe_concat, :safe_concat_with_haml
128
+ alias_method :safe_concat_without_haml_xss, :safe_concat
129
+ alias_method :safe_concat, :safe_concat_with_haml_xss
122
130
  end
123
131
  end
124
132
  end
data/lib/haml/template.rb CHANGED
@@ -46,7 +46,8 @@ end
46
46
  # Decide how we want to load Haml into Rails.
47
47
  # Patching was necessary for versions <= 2.0.1,
48
48
  # but we can make it a normal handler for higher versions.
49
- if defined?(ActionView::TemplateHandler) || defined?(ActionView::Template::Handler)
49
+ if defined?(ActionView::TemplateHandler) ||
50
+ (defined?(ActionView::Template) && defined?(ActionView::Template::Handler))
50
51
  require 'haml/template/plugin'
51
52
  else
52
53
  require 'haml/template/patch'
data/lib/haml/template/plugin.rb CHANGED
@@ -3,8 +3,11 @@
3
3
 
4
4
  module Haml
5
5
  class Plugin < Haml::Util.av_template_class(:Handler)
6
- if defined?(ActionView::TemplateHandlers::Compilable) ||
7
- defined?(ActionView::Template::Handlers::Compilable)
6
+ if (defined?(ActionView::TemplateHandlers) &&
7
+ defined?(ActionView::TemplateHandlers::Compilable)) ||
8
+ (defined?(ActionView::Template) &&
9
+ defined?(ActionView::Template::Handlers) &&
10
+ defined?(ActionView::Template::Handlers::Compilable))
8
11
  include Haml::Util.av_template_class(:Handlers)::Compilable
9
12
  end
10
13
 
data/lib/sass/files.rb CHANGED
@@ -104,7 +104,7 @@ END
104
104
  return unless f.readline("\n").strip == sha
105
105
  return Marshal.load(f.read)
106
106
  end
107
- rescue TypeError, ArgumentError => e
107
+ rescue EOFError, TypeError, ArgumentError => e
108
108
  warn "Warning. Error encountered while reading cache #{compiled_filename}: #{e}"
109
109
  end
110
110
 
data/lib/sass/plugin/rack.rb CHANGED
@@ -48,12 +48,12 @@ module Sass
48
48
  # This is automatically done once the Rack plugin is activated.
49
49
  # This is done so that the stylesheets aren't checked twice for each request.
50
50
  def self.disable_native_plugin!
51
- if defined?(Merb::Rack::Application) &&
51
+ if defined?(Merb::Rack) && defined?(Merb::Rack::Application) &&
52
52
  Haml::Util.has?(:instance_method, Merb::Rack::Application, :call_without_sass)
53
53
  Merb::Rack::Application.instance_eval {alias_method :call, :call_without_sass}
54
54
  end
55
55
 
56
- if defined?(ActionDispatch::Callbacks.to_prepare)
56
+ if defined?(ActionDispatch::Callbacks) && defined?(ActionDispatch::Callbacks.to_prepare)
57
57
  ActionDispatch::Callbacks.skip_callback(:prepare, :__sass_process)
58
58
  elsif defined?(ActionController::Base) &&
59
59
  Haml::Util.has?(:instance_method, ActionController::Base, :sass_old_process)
data/lib/sass/plugin/rails.rb CHANGED
@@ -7,7 +7,8 @@ unless defined?(Sass::RAILS_LOADED)
7
7
  :always_check => Haml::Util.rails_env != "production",
8
8
  :full_exception => Haml::Util.rails_env != "production")
9
9
 
10
- if defined?(ActionDispatch::Callbacks.to_prepare)
10
+ if defined?(ActionDispatch::Callbacks) &&
11
+ defined?(ActionDispatch::Callbacks.to_prepare)
11
12
  # Rails >= 3.0.0
12
13
  ActionDispatch::Callbacks.to_prepare(:sass_process) {Sass::Plugin.check_for_updates}
13
14
  else
data/test/haml/template_test.rb CHANGED
@@ -306,5 +306,38 @@ END
306
306
  assert_equal("Foo & Bar", render('- safe_concat "Foo & Bar"', :action_view))
307
307
  end
308
308
  end
309
+
310
+ ## Regression
311
+
312
+ def test_xss_protection_with_nested_haml_tag
313
+ assert_equal(<<HTML, render(<<HAML, :action_view))
314
+ <div>
315
+ <ul>
316
+ <li>Content!</li>
317
+ </ul>
318
+ </div>
319
+ HTML
320
+ - haml_tag :div do
321
+ - haml_tag :ul do
322
+ - haml_tag :li, "Content!"
323
+ HAML
324
+ end
325
+
326
+ def test_xss_protection_with_form_for
327
+ assert_equal(<<HTML, render(<<HAML, :action_view))
328
+ <form action="" method="post">
329
+ Title:
330
+ <input id="article_title" name="article[title]" size="30" type="text" value="Hello" />
331
+ Body:
332
+ <input id="article_body" name="article[body]" size="30" type="text" value="World" />
333
+ </form>
334
+ HTML
335
+ - form_for :article, @article, :url => '' do |f|
336
+ Title:
337
+ = f.text_field :title
338
+ Body:
339
+ = f.text_field :body
340
+ HAML
341
+ end
309
342
  end
310
343
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: haml
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.19
4
+ version: 2.2.20
5
5
  platform: ruby
6
6
  authors:
7
7
  - Nathan Weizenbaum
@@ -10,7 +10,7 @@ autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
12
 
13
- date: 2010-02-07 00:00:00 -08:00
13
+ date: 2010-02-15 00:00:00 -08:00
14
14
  default_executable:
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency