Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTML escape interpolated code in filters #770

Merged
merged 1 commit into from Apr 19, 2014
Merged

HTML escape interpolated code in filters #770

merged 1 commit into from Apr 19, 2014

Conversation

mattwildig
Copy link
Contributor

HTML escape any interpolated code if the escape_html option is set.

I’ve used the existing :escape_html option rather than creating a new option. Does anyone think there should be separate options?

@mattwildig
HTML escape interpolated code in filters
8591704 
HTML escape any interpolated code if the escape_html option is set.
@mattwildig mattwildig mentioned this pull request Apr 17, 2014
Closed
@mattwildig
Copy link
Contributor Author

If you’re using bundler you should be able to test this with:

gem 'haml', :github => 'haml', 'branch' => 'escape-filter-interpolation'

@teeparham
Copy link
Member

Using the existing :escape_html option makes sense to me. Merging.

teeparham added a commit that referenced this pull request Apr 19, 2014
@teeparham
Merge pull request #770 from haml/escape-filter-interpolation
2630344 
HTML escape interpolated code in filters
@teeparham teeparham merged commit 2630344 into master Apr 19, 2014
@teeparham teeparham deleted the escape-filter-interpolation branch April 19, 2014 19:58
k0kubun added a commit that referenced this pull request Apr 26, 2017
@k0kubun
Note about #770 in Haml 5 changes
e5d6409 
This affects code like this:
https://github.com/sferik/rails_admin/blob/e0eb6ca714c9301b36efab9b43c6e38b55508db2/app/views/layouts/rails_admin/application.html.haml#L13
This was referenced Apr 26, 2017
Merged
Merged
@ianpurvis
Copy link

Hello, could you recommend the upgrade path for filters such as

:javascript
  new Page(#{javascript_params.to_json});

Seems I can't move forward without re-architecting my app to initialize via data attributes?

@myabc
Copy link

myabc commented May 29, 2017

@ianpurvis have you tried the following?

:javascript
  new Page(#{raw javascript_params.to_json});

@ianpurvis
Copy link

@myabc Thanks! That works great. ✌️

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Jun 21, 2017
Update ruby-haml to 5.0.1
128847b 
## 5.0.1

Released on May 3, 2017
([diff](haml/haml@v5.0.0...v5.0.1)).

* Fix parsing attributes including string interpolation. [#917](haml/haml#917) [#921](haml/haml#921)
* Stop distributing test files in gem package and allow installing on Windows.
* Use ActionView's Erubi/Erubis handler for erb filter only on ActionView. [#914](haml/haml#914)

## 5.0.0

Released on April 26, 2017
([diff](haml/haml@4.0.7...v5.0.0)).

Breaking Changes

* Haml now requires Ruby 2.0.0 or above.
* Rails 3 is no longer supported, matching the official
  [Maintenance Policy for Ruby on Rails](http://weblog.rubyonrails.org/2013/2/24/maintenance-policy-for-ruby-on-rails/).
  (Tee Parham)
* The `haml` command's debug option (`-d`) no longer executes the Haml code, but
  rather checks the generated Ruby syntax for errors.
* Drop parser/compiler accessor from `Haml::Engine`. Modify `Haml::Engine#initialize` options
  or `Haml::Template.options` instead. (Takashi Kokubun)
* Drop dynamic quotes support and always escape `'` for `escape_html`/`escape_attrs` instead.
  Also, escaped results are slightly changed and always unified to the same characters. (Takashi Kokubun)
* Don't preserve newlines in attributes. (Takashi Kokubun)
* HTML escape interpolated code in filters.
  [#770](haml/haml#770)
  (Matt Wildig)

        :javascript
          #{JSON.generate(foo: "bar")}
        Haml 4 output: {"foo":"bar"}
        Haml 5 output: {"foo":"bar"}

Added

* Add a tracing option. When enabled, Haml will output a data-trace attribute on each tag showing the path
  to the source Haml file from which it was generated. Thanks [Alex Babkin](https://github.com/ababkin).
* Add `haml_tag_if` to render a block, conditionally wrapped in another element (Matt Wildig)
* Support Rails 5.1 Erubi template handler.
* Support Sprockets 3. Thanks [Sam Davies](https://github.com/samphilipd) and [Jeremy Venezia](https://github.com/jvenezia).
* General performance and memory usage improvements. (Akira Matsuda)
* Analyze attribute values by Ripper and render static attributes beforehand. (Takashi Kokubun)
* Optimize attribute rendering about 3x faster. (Takashi Kokubun)
* Add temple gem as dependency and create `Haml::TempleEngine` class.
  Some methods in `Haml::Compiler` are migrated to `Haml::TempleEngine`. (Takashi Kokubun)

Fixed

* Fix for attribute merging. When an attribute method (or literal nested hash)
  was used in an old style attribute hash and there is also a (non-static) new
  style hash there is an error. The fix can result in different behavior in
  some circumstances. See the [commit message](https://github.com/haml/haml/tree/e475b015d3171fb4c4f140db304f7970c787d6e3)
  for detailed info. (Matt Wildig)
* Make escape_once respect hexadecimal references. (Matt Wildig)
* Don't treat the 'data' attribute specially when merging attribute hashes. (Matt Wildig and Norman Clarke)
* Fix #@foo and #$foo style interpolation that was not working in html_safe mode. (Akira Matsuda)
* Allow `@` as tag's class name. Thanks [Joe Bartlett](https://github.com/redoPop).
* Raise `Haml::InvalidAttributeNameError` when attribute name includes invalid characters. (Takashi Kokubun)
* Don't ignore unexpected exceptions on initializing `ActionView::OutputBuffer`. (Takashi Kokubun)
jsonn pushed a commit to jsonn/pkgsrc that referenced this pull request Jun 21, 2017
Update ruby-haml to 5.0.1
a2546cc 
## 5.0.1

Released on May 3, 2017
([diff](haml/haml@v5.0.0...v5.0.1)).

* Fix parsing attributes including string interpolation. [#917](haml/haml#917) [#921](haml/haml#921)
* Stop distributing test files in gem package and allow installing on Windows.
* Use ActionView's Erubi/Erubis handler for erb filter only on ActionView. [#914](haml/haml#914)

## 5.0.0

Released on April 26, 2017
([diff](haml/haml@4.0.7...v5.0.0)).

Breaking Changes

* Haml now requires Ruby 2.0.0 or above.
* Rails 3 is no longer supported, matching the official
  [Maintenance Policy for Ruby on Rails](http://weblog.rubyonrails.org/2013/2/24/maintenance-policy-for-ruby-on-rails/).
  (Tee Parham)
* The `haml` command's debug option (`-d`) no longer executes the Haml code, but
  rather checks the generated Ruby syntax for errors.
* Drop parser/compiler accessor from `Haml::Engine`. Modify `Haml::Engine#initialize` options
  or `Haml::Template.options` instead. (Takashi Kokubun)
* Drop dynamic quotes support and always escape `'` for `escape_html`/`escape_attrs` instead.
  Also, escaped results are slightly changed and always unified to the same characters. (Takashi Kokubun)
* Don't preserve newlines in attributes. (Takashi Kokubun)
* HTML escape interpolated code in filters.
  [#770](haml/haml#770)
  (Matt Wildig)

        :javascript
          #{JSON.generate(foo: "bar")}
        Haml 4 output: {"foo":"bar"}
        Haml 5 output: {"foo":"bar"}

Added

* Add a tracing option. When enabled, Haml will output a data-trace attribute on each tag showing the path
  to the source Haml file from which it was generated. Thanks [Alex Babkin](https://github.com/ababkin).
* Add `haml_tag_if` to render a block, conditionally wrapped in another element (Matt Wildig)
* Support Rails 5.1 Erubi template handler.
* Support Sprockets 3. Thanks [Sam Davies](https://github.com/samphilipd) and [Jeremy Venezia](https://github.com/jvenezia).
* General performance and memory usage improvements. (Akira Matsuda)
* Analyze attribute values by Ripper and render static attributes beforehand. (Takashi Kokubun)
* Optimize attribute rendering about 3x faster. (Takashi Kokubun)
* Add temple gem as dependency and create `Haml::TempleEngine` class.
  Some methods in `Haml::Compiler` are migrated to `Haml::TempleEngine`. (Takashi Kokubun)

Fixed

* Fix for attribute merging. When an attribute method (or literal nested hash)
  was used in an old style attribute hash and there is also a (non-static) new
  style hash there is an error. The fix can result in different behavior in
  some circumstances. See the [commit message](https://github.com/haml/haml/tree/e475b015d3171fb4c4f140db304f7970c787d6e3)
  for detailed info. (Matt Wildig)
* Make escape_once respect hexadecimal references. (Matt Wildig)
* Don't treat the 'data' attribute specially when merging attribute hashes. (Matt Wildig and Norman Clarke)
* Fix #@foo and #$foo style interpolation that was not working in html_safe mode. (Akira Matsuda)
* Allow `@` as tag's class name. Thanks [Joe Bartlett](https://github.com/redoPop).
* Raise `Haml::InvalidAttributeNameError` when attribute name includes invalid characters. (Takashi Kokubun)
* Don't ignore unexpected exceptions on initializing `ActionView::OutputBuffer`. (Takashi Kokubun)
@javinto javinto mentioned this pull request Jul 6, 2017
Closed
@wjordan wjordan mentioned this pull request Mar 1, 2018
Merged
@DrkCloudStrife DrkCloudStrife mentioned this pull request Apr 18, 2018
Closed
@marcandre
Copy link

For anyone stumbling here, there is an alternative solution to @myabc's: it is now possible to set options.escape_filter_interpolations to false (#984) to revert the behavior 🎉

@ireneybean ireneybean mentioned this pull request Sep 13, 2020
Closed
This was referenced Mar 11, 2021
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@mattwildig @teeparham @ianpurvis @myabc @marcandre