| Module | Haml::Helpers::XssMods |
| In: |
lib/haml/helpers/xss_mods.rb
|
This module overrides Haml helpers to work properly in the context of ActionView. Currently it‘s only used for modifying the helpers to work with Rails’ XSS protection methods.
# File lib/haml/helpers/xss_mods.rb, line 8
8: def self.included(base)
9: %w[html_escape find_and_preserve preserve list_of surround
10: precede succeed capture_haml haml_concat haml_indent
11: haml_tag escape_once].each do |name|
12: base.send(:alias_method, "#{name}_without_haml_xss", name)
13: base.send(:alias_method, name, "#{name}_with_haml_xss")
14: end
15: end
Input is escaped
# File lib/haml/helpers/xss_mods.rb, line 64
64: def haml_concat_with_haml_xss(text = "")
65: haml_concat_without_haml_xss(@_haml_concat_raw ? text : haml_xss_html_escape(text))
66: end
Input is escaped, haml_concat‘ed output is always HTML safe
# File lib/haml/helpers/xss_mods.rb, line 74
74: def haml_tag_with_haml_xss(name, *rest, &block)
75: name = haml_xss_html_escape(name.to_s)
76: rest.unshift(haml_xss_html_escape(rest.shift.to_s)) unless [Symbol, Hash, NilClass].any? {|t| rest.first.is_a? t}
77: with_raw_haml_concat {haml_tag_without_haml_xss(name, *rest, &block)}
78: end
Escapes the HTML in the text if and only if Rails XSS protection is enabled and the `:escape_html` option is set.
# File lib/haml/helpers/xss_mods.rb, line 89
89: def haml_xss_html_escape(text)
90: return text unless Haml::Util.rails_xss_safe? && haml_buffer.options[:escape_html]
91: html_escape(text)
92: end