New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTML escape interpolated code in filters #770
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
HTML escape any interpolated code if the escape_html option is set.
If you’re using bundler you should be able to test this with: gem 'haml', :github => 'haml', 'branch' => 'escape-filter-interpolation' |
Using the existing |
teeparham
added a commit
that referenced
this pull request
Apr 19, 2014
HTML escape interpolated code in filters
k0kubun
added a commit
that referenced
this pull request
Apr 26, 2017
This was referenced Apr 26, 2017
Hello, could you recommend the upgrade path for filters such as
Seems I can't move forward without re-architecting my app to initialize via data attributes? |
@ianpurvis have you tried the following? :javascript
new Page(#{raw javascript_params.to_json}); |
@myabc Thanks! That works great. ✌️ |
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Jun 21, 2017
## 5.0.1 Released on May 3, 2017 ([diff](haml/haml@v5.0.0...v5.0.1)). * Fix parsing attributes including string interpolation. [#917](haml/haml#917) [#921](haml/haml#921) * Stop distributing test files in gem package and allow installing on Windows. * Use ActionView's Erubi/Erubis handler for erb filter only on ActionView. [#914](haml/haml#914) ## 5.0.0 Released on April 26, 2017 ([diff](haml/haml@4.0.7...v5.0.0)). Breaking Changes * Haml now requires Ruby 2.0.0 or above. * Rails 3 is no longer supported, matching the official [Maintenance Policy for Ruby on Rails](http://weblog.rubyonrails.org/2013/2/24/maintenance-policy-for-ruby-on-rails/). (Tee Parham) * The `haml` command's debug option (`-d`) no longer executes the Haml code, but rather checks the generated Ruby syntax for errors. * Drop parser/compiler accessor from `Haml::Engine`. Modify `Haml::Engine#initialize` options or `Haml::Template.options` instead. (Takashi Kokubun) * Drop dynamic quotes support and always escape `'` for `escape_html`/`escape_attrs` instead. Also, escaped results are slightly changed and always unified to the same characters. (Takashi Kokubun) * Don't preserve newlines in attributes. (Takashi Kokubun) * HTML escape interpolated code in filters. [#770](haml/haml#770) (Matt Wildig) :javascript #{JSON.generate(foo: "bar")} Haml 4 output: {"foo":"bar"} Haml 5 output: {"foo":"bar"} Added * Add a tracing option. When enabled, Haml will output a data-trace attribute on each tag showing the path to the source Haml file from which it was generated. Thanks [Alex Babkin](https://github.com/ababkin). * Add `haml_tag_if` to render a block, conditionally wrapped in another element (Matt Wildig) * Support Rails 5.1 Erubi template handler. * Support Sprockets 3. Thanks [Sam Davies](https://github.com/samphilipd) and [Jeremy Venezia](https://github.com/jvenezia). * General performance and memory usage improvements. (Akira Matsuda) * Analyze attribute values by Ripper and render static attributes beforehand. (Takashi Kokubun) * Optimize attribute rendering about 3x faster. (Takashi Kokubun) * Add temple gem as dependency and create `Haml::TempleEngine` class. Some methods in `Haml::Compiler` are migrated to `Haml::TempleEngine`. (Takashi Kokubun) Fixed * Fix for attribute merging. When an attribute method (or literal nested hash) was used in an old style attribute hash and there is also a (non-static) new style hash there is an error. The fix can result in different behavior in some circumstances. See the [commit message](https://github.com/haml/haml/tree/e475b015d3171fb4c4f140db304f7970c787d6e3) for detailed info. (Matt Wildig) * Make escape_once respect hexadecimal references. (Matt Wildig) * Don't treat the 'data' attribute specially when merging attribute hashes. (Matt Wildig and Norman Clarke) * Fix #@foo and #$foo style interpolation that was not working in html_safe mode. (Akira Matsuda) * Allow `@` as tag's class name. Thanks [Joe Bartlett](https://github.com/redoPop). * Raise `Haml::InvalidAttributeNameError` when attribute name includes invalid characters. (Takashi Kokubun) * Don't ignore unexpected exceptions on initializing `ActionView::OutputBuffer`. (Takashi Kokubun)
jsonn
pushed a commit
to jsonn/pkgsrc
that referenced
this pull request
Jun 21, 2017
## 5.0.1 Released on May 3, 2017 ([diff](haml/haml@v5.0.0...v5.0.1)). * Fix parsing attributes including string interpolation. [#917](haml/haml#917) [#921](haml/haml#921) * Stop distributing test files in gem package and allow installing on Windows. * Use ActionView's Erubi/Erubis handler for erb filter only on ActionView. [#914](haml/haml#914) ## 5.0.0 Released on April 26, 2017 ([diff](haml/haml@4.0.7...v5.0.0)). Breaking Changes * Haml now requires Ruby 2.0.0 or above. * Rails 3 is no longer supported, matching the official [Maintenance Policy for Ruby on Rails](http://weblog.rubyonrails.org/2013/2/24/maintenance-policy-for-ruby-on-rails/). (Tee Parham) * The `haml` command's debug option (`-d`) no longer executes the Haml code, but rather checks the generated Ruby syntax for errors. * Drop parser/compiler accessor from `Haml::Engine`. Modify `Haml::Engine#initialize` options or `Haml::Template.options` instead. (Takashi Kokubun) * Drop dynamic quotes support and always escape `'` for `escape_html`/`escape_attrs` instead. Also, escaped results are slightly changed and always unified to the same characters. (Takashi Kokubun) * Don't preserve newlines in attributes. (Takashi Kokubun) * HTML escape interpolated code in filters. [#770](haml/haml#770) (Matt Wildig) :javascript #{JSON.generate(foo: "bar")} Haml 4 output: {"foo":"bar"} Haml 5 output: {"foo":"bar"} Added * Add a tracing option. When enabled, Haml will output a data-trace attribute on each tag showing the path to the source Haml file from which it was generated. Thanks [Alex Babkin](https://github.com/ababkin). * Add `haml_tag_if` to render a block, conditionally wrapped in another element (Matt Wildig) * Support Rails 5.1 Erubi template handler. * Support Sprockets 3. Thanks [Sam Davies](https://github.com/samphilipd) and [Jeremy Venezia](https://github.com/jvenezia). * General performance and memory usage improvements. (Akira Matsuda) * Analyze attribute values by Ripper and render static attributes beforehand. (Takashi Kokubun) * Optimize attribute rendering about 3x faster. (Takashi Kokubun) * Add temple gem as dependency and create `Haml::TempleEngine` class. Some methods in `Haml::Compiler` are migrated to `Haml::TempleEngine`. (Takashi Kokubun) Fixed * Fix for attribute merging. When an attribute method (or literal nested hash) was used in an old style attribute hash and there is also a (non-static) new style hash there is an error. The fix can result in different behavior in some circumstances. See the [commit message](https://github.com/haml/haml/tree/e475b015d3171fb4c4f140db304f7970c787d6e3) for detailed info. (Matt Wildig) * Make escape_once respect hexadecimal references. (Matt Wildig) * Don't treat the 'data' attribute specially when merging attribute hashes. (Matt Wildig and Norman Clarke) * Fix #@foo and #$foo style interpolation that was not working in html_safe mode. (Akira Matsuda) * Allow `@` as tag's class name. Thanks [Joe Bartlett](https://github.com/redoPop). * Raise `Haml::InvalidAttributeNameError` when attribute name includes invalid characters. (Takashi Kokubun) * Don't ignore unexpected exceptions on initializing `ActionView::OutputBuffer`. (Takashi Kokubun)
Closed
This was referenced Mar 11, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
HTML escape any interpolated code if the escape_html option is set.
I’ve used the existing
:escape_html
option rather than creating a new option. Does anyone think there should be separate options?