From 85917047e0b2eab54b1e05e1b1b1dc2f02c837fa Mon Sep 17 00:00:00 2001
From: Matt Wildig <matt@mattwildig.co.uk>
Date: Thu, 17 Apr 2014 23:18:09 +0100
Subject: [PATCH] HTML escape interpolated code in filters

HTML escape any interpolated code if the escape_html option is set.
---
 lib/haml/filters.rb  | 2 +-
 test/filters_test.rb | 9 +++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/lib/haml/filters.rb b/lib/haml/filters.rb
index 81d269f246..19d2b20572 100644
--- a/lib/haml/filters.rb
+++ b/lib/haml/filters.rb
@@ -163,7 +163,7 @@ def compile(compiler, text)
           if contains_interpolation?(text)
             return if options[:suppress_eval]
 
-            text = unescape_interpolation(text).gsub(/(\\+)n/) do |s|
+            text = unescape_interpolation(text, options[:escape_html]).gsub(/(\\+)n/) do |s|
               escapes = $1.size
               next s if escapes % 2 == 0
               "#{'\\' * (escapes - 1)}\n"
diff --git a/test/filters_test.rb b/test/filters_test.rb
index 2914511bb2..5f16d2e74a 100644
--- a/test/filters_test.rb
+++ b/test/filters_test.rb
@@ -109,6 +109,11 @@ def evaluate(scope, locals, &block)
     end
   end
 
+  test "interpolated code should use be escaped in escape_html is set" do
+    assert_equal "&lt;script&gt;evil&lt;/script&gt;\n",
+                 render(":plain\n  \#{'<script>evil</script>'}", :escape_html => true)
+  end
+
 end
 
 class ErbFilterTest < MiniTest::Unit::TestCase
@@ -140,8 +145,8 @@ class JavascriptFilterTest < MiniTest::Unit::TestCase
     assert_match(/bar/, html)
   end
 
-  test "should never HTML-escape ampersands" do
-    html = "<script>\n  & < > &\n</script>\n"
+  test "should never HTML-escape non-interpolated ampersands" do
+    html = "<script>\n  & < > &amp;\n</script>\n"
     haml = %Q{:javascript\n  & < > \#{"&"}}
     assert_equal(html, render(haml, :escape_html => true))
   end