module Haml::Helpers::XssMods

This module overrides Haml helpers to work properly in the context of ActionView. Currently it’s only used for modifying the helpers to work with Rails’ XSS protection methods.

Public Class Methods

included(base) click to toggle source

# File lib/haml/helpers/xss_mods.rb, line 10
def self.included(base)
  %w[find_and_preserve preserve list_of surround
     precede succeed capture_haml haml_concat haml_internal_concat haml_indent].each do |name|
    base.send(:alias_method, "#{name}_without_haml_xss", name)
    base.send(:alias_method, name, "#{name}_with_haml_xss")
  end
  # Those two always have _without_haml_xss
  %w[html_escape escape_once].each do |name|
    base.send(:alias_method, name, "#{name}_with_haml_xss")
  end
end

Public Instance Methods

capture_haml_with_haml_xss(*args, &block) click to toggle source

Output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 65
def capture_haml_with_haml_xss(*args, &block)
  Haml::Util.html_safe(capture_haml_without_haml_xss(*args, &block))
end

escape_once_with_haml_xss(*args) click to toggle source

Output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 93
def escape_once_with_haml_xss(*args)
  Haml::Util.html_safe(escape_once_without_haml_xss(*args))
end

find_and_preserve_with_haml_xss(*args, &block) click to toggle source

Output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 31
def find_and_preserve_with_haml_xss(*args, &block)
  Haml::Util.html_safe(find_and_preserve_without_haml_xss(*args, &block))
end

haml_concat_with_haml_xss(text = "") click to toggle source

Input will be escaped unless this is in a ‘with_raw_haml_concat` block. See Haml::Helpers::ActionViewExtensions#with_raw_haml_concat.

# File lib/haml/helpers/xss_mods.rb, line 71
def haml_concat_with_haml_xss(text = "")
  raw = instance_variable_defined?(:@_haml_concat_raw) ? @_haml_concat_raw : false
  if raw
    haml_internal_concat_raw text
  else
    haml_internal_concat text
  end
  ErrorReturn.new("haml_concat")
end

haml_indent_with_haml_xss() click to toggle source

Output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 88
def haml_indent_with_haml_xss
  Haml::Util.html_safe(haml_indent_without_haml_xss)
end

html_escape_with_haml_xss(text) click to toggle source

Don’t escape text that’s already safe, output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 24
def html_escape_with_haml_xss(text)
  str = text.to_s
  return text if str.html_safe?
  Haml::Util.html_safe(html_escape_without_haml_xss(str))
end

list_of_with_haml_xss(*args, &block) click to toggle source

Output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 41
def list_of_with_haml_xss(*args, &block)
  Haml::Util.html_safe(list_of_without_haml_xss(*args, &block))
end

precede_with_haml_xss(str, &block) click to toggle source

Input is escaped, output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 55
def precede_with_haml_xss(str, &block)
  Haml::Util.html_safe(precede_without_haml_xss(haml_xss_html_escape(str), &block))
end

preserve_with_haml_xss(*args, &block) click to toggle source

Output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 36
def preserve_with_haml_xss(*args, &block)
  Haml::Util.html_safe(preserve_without_haml_xss(*args, &block))
end

succeed_with_haml_xss(str, &block) click to toggle source

Input is escaped, output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 60
def succeed_with_haml_xss(str, &block)
  Haml::Util.html_safe(succeed_without_haml_xss(haml_xss_html_escape(str), &block))
end

surround_with_haml_xss(front, back = front, &block) click to toggle source

Input is escaped, output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 46
def surround_with_haml_xss(front, back = front, &block)
  Haml::Util.html_safe(
    surround_without_haml_xss(
      haml_xss_html_escape(front),
      haml_xss_html_escape(back),
      &block))
end

Private Instance Methods

haml_internal_concat_with_haml_xss(text="", newline=true, indent=true) click to toggle source

Input is escaped

# File lib/haml/helpers/xss_mods.rb, line 82
def haml_internal_concat_with_haml_xss(text="", newline=true, indent=true)
  haml_internal_concat_without_haml_xss(haml_xss_html_escape(text), newline, indent)
end

haml_xss_html_escape(text) click to toggle source

Escapes the HTML in the text if and only if Rails XSS protection is enabled and the ‘:escape_html` option is set.

# File lib/haml/helpers/xss_mods.rb, line 101
def haml_xss_html_escape(text)
  return text unless Haml::Util.rails_xss_safe? && haml_buffer.options[:escape_html]
  html_escape(text)
end