moduleHamlmoduleHelpers# This module overrides Haml helpers to work properly# in the context of ActionView.# Currently it's only used for modifying the helpers# to work with Rails' XSS protection methods.moduleXssModsdefself.included(base)%w[html_escape find_and_preserve preserve list_of surround
precede succeed capture_haml haml_concat haml_indent
haml_tag escape_once].eachdo|name|base.send(:alias_method,"#{name}_without_haml_xss",name)base.send(:alias_method,name,"#{name}_with_haml_xss")endend# Don't escape text that's already safe,# output is always HTML safedefhtml_escape_with_haml_xss(text)str=text.to_sreturntextifstr.html_safe?Haml::Util.html_safe(html_escape_without_haml_xss(str))end# Output is always HTML safedeffind_and_preserve_with_haml_xss(*args,&block)Haml::Util.html_safe(find_and_preserve_without_haml_xss(*args,&block))end# Output is always HTML safedefpreserve_with_haml_xss(*args,&block)Haml::Util.html_safe(preserve_without_haml_xss(*args,&block))end# Output is always HTML safedeflist_of_with_haml_xss(*args,&block)Haml::Util.html_safe(list_of_without_haml_xss(*args,&block))end# Input is escaped, output is always HTML safedefsurround_with_haml_xss(front,back=front,&block)Haml::Util.html_safe(surround_without_haml_xss(haml_xss_html_escape(front),haml_xss_html_escape(back),&block))end# Input is escaped, output is always HTML safedefprecede_with_haml_xss(str,&block)Haml::Util.html_safe(precede_without_haml_xss(haml_xss_html_escape(str),&block))end# Input is escaped, output is always HTML safedefsucceed_with_haml_xss(str,&block)Haml::Util.html_safe(succeed_without_haml_xss(haml_xss_html_escape(str),&block))end# Output is always HTML safedefcapture_haml_with_haml_xss(*args,&block)Haml::Util.html_safe(capture_haml_without_haml_xss(*args,&block))end# Input is escapeddefhaml_concat_with_haml_xss(text="")haml_concat_without_haml_xss(@_haml_concat_raw?text:haml_xss_html_escape(text))end# Output is always HTML safedefhaml_indent_with_haml_xssHaml::Util.html_safe(haml_indent_without_haml_xss)end# Input is escaped, haml_concat'ed output is always HTML safedefhaml_tag_with_haml_xss(name,*rest,&block)name=haml_xss_html_escape(name.to_s)rest.unshift(haml_xss_html_escape(rest.shift.to_s))unless[Symbol,Hash,NilClass].any?{|t|rest.first.is_a?t}with_raw_haml_concat{haml_tag_without_haml_xss(name,*rest,&block)}end# Output is always HTML safedefescape_once_with_haml_xss(*args)Haml::Util.html_safe(escape_once_without_haml_xss(*args))endprivate# Escapes the HTML in the text if and only if# Rails XSS protection is enabled *and* the `:escape_html` option is set.defhaml_xss_html_escape(text)returntextunlessHaml::Util.rails_xss_safe?&&haml_buffer.options[:escape_html]html_escape(text)endendclassErrorReturn# Any attempt to treat ErrorReturn as a string should cause it to blow up.alias_method:html_safe,:to_salias_method:html_safe?,:to_salias_method:html_safe!,:to_sendendendmoduleActionViewmoduleHelpersmoduleCaptureHelperdefwith_output_buffer_with_haml_xss(*args,&block)res=with_output_buffer_without_haml_xss(*args,&block)casereswhenArray;res.map{|s|Haml::Util.html_safe(s)}whenString;Haml::Util.html_safe(res)else;resendendalias_method:with_output_buffer_without_haml_xss,:with_output_bufferalias_method:with_output_buffer,:with_output_buffer_with_haml_xssendmoduleFormTagHelperdefform_tag_with_haml_xss(*args,&block)res=form_tag_without_haml_xss(*args,&block)res=Haml::Util.html_safe(res)unlessblock_given?resendalias_method:form_tag_without_haml_xss,:form_tagalias_method:form_tag,:form_tag_with_haml_xssendmoduleFormHelperdefform_for_with_haml_xss(*args,&block)res=form_for_without_haml_xss(*args,&block)returnHaml::Util.html_safe(res)ifres.is_a?(String)returnresendalias_method:form_for_without_haml_xss,:form_foralias_method:form_for,:form_for_with_haml_xssendmoduleTextHelperdefconcat_with_haml_xss(string)ifis_haml?haml_buffer.buffer.concat(haml_xss_html_escape(string))elseconcat_without_haml_xss(string)endendalias_method:concat_without_haml_xss,:concatalias_method:concat,:concat_with_haml_xss# safe_concat was introduced in Rails 3.0ifHaml::Util.has?(:instance_method,self,:safe_concat)defsafe_concat_with_haml_xss(string)ifis_haml?haml_buffer.buffer.concat(string)elsesafe_concat_without_haml_xss(string)endendalias_method:safe_concat_without_haml_xss,:safe_concatalias_method:safe_concat,:safe_concat_with_haml_xssendendendend