diff --git a/lib/haml/filters.rb b/lib/haml/filters.rb
index 81d269f246..19d2b20572 100644
--- a/lib/haml/filters.rb
+++ b/lib/haml/filters.rb
@@ -163,7 +163,7 @@ def compile(compiler, text)
if contains_interpolation?(text)
return if options[:suppress_eval]
- text = unescape_interpolation(text).gsub(/(\\+)n/) do |s|
+ text = unescape_interpolation(text, options[:escape_html]).gsub(/(\\+)n/) do |s|
escapes = $1.size
next s if escapes % 2 == 0
"#{'\\' * (escapes - 1)}\n"
diff --git a/test/filters_test.rb b/test/filters_test.rb
index 2914511bb2..5f16d2e74a 100644
--- a/test/filters_test.rb
+++ b/test/filters_test.rb
@@ -109,6 +109,11 @@ def evaluate(scope, locals, &block)
end
end
+ test "interpolated code should use be escaped in escape_html is set" do
+ assert_equal "<script>evil</script>\n",
+ render(":plain\n \#{''}", :escape_html => true)
+ end
+
end
class ErbFilterTest < MiniTest::Unit::TestCase
@@ -140,8 +145,8 @@ class JavascriptFilterTest < MiniTest::Unit::TestCase
assert_match(/bar/, html)
end
- test "should never HTML-escape ampersands" do
- html = "\n"
+ test "should never HTML-escape non-interpolated ampersands" do
+ html = "\n"
haml = %Q{:javascript\n & < > \#{"&"}}
assert_equal(html, render(haml, :escape_html => true))
end