HTML escape interpolated code in filters

HTML escape any interpolated code if the escape_html option is set.
haml · Apr 17, 2014 · 8591704 · 8591704
1 parent 800095b
commit 8591704
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/lib/haml/filters.rb b/lib/haml/filters.rb
@@ -163,7 +163,7 @@ def compile(compiler, text)
           if contains_interpolation?(text)
             return if options[:suppress_eval]
 
-            text = unescape_interpolation(text).gsub(/(\\+)n/) do |s|
+            text = unescape_interpolation(text, options[:escape_html]).gsub(/(\\+)n/) do |s|
               escapes = $1.size
               next s if escapes % 2 == 0
               "#{'\\' * (escapes - 1)}\n"

diff --git a/test/filters_test.rb b/test/filters_test.rb
@@ -109,6 +109,11 @@ def evaluate(scope, locals, &block)
     end
   end
 
+  test "interpolated code should use be escaped in escape_html is set" do
+    assert_equal "&lt;script&gt;evil&lt;/script&gt;\n",
+                 render(":plain\n  \#{'<script>evil</script>'}", :escape_html => true)
+  end
+
 end
 
 class ErbFilterTest < MiniTest::Unit::TestCase
@@ -140,8 +145,8 @@ class JavascriptFilterTest < MiniTest::Unit::TestCase
     assert_match(/bar/, html)
   end
 
-  test "should never HTML-escape ampersands" do
-    html = "<script>\n  & < > &\n</script>\n"
+  test "should never HTML-escape non-interpolated ampersands" do
+    html = "<script>\n  & < > &amp;\n</script>\n"
     haml = %Q{:javascript\n  & < > \#{"&"}}
     assert_equal(html, render(haml, :escape_html => true))
   end