Upgrading from 5.1.2 to 5.2.2

[choubacha]

And a string that used to parse correctly is now being over-encoded:

      %a{href: "[%= app.internalPath(h.path(\'profile\')) %]".html_safe, target: "_blank" }= s.t('header.link')

The result is that the apostrophe's around profile are encoded as:

h.path('profile')

[choubacha]

It looks like this is intentional and only by completely turning off escaping attrs globally does it work again.

I'm not sure how the latest version caused this to start happening but would it be possible for attributes to allow html_safe strings?

[k0kubun]

We're being consistent with Rails in the way we approach the "vulnerability" with a CVE. Rails helpers escape attributes even if you pass an html_safe object, and we did the same #1028. If you want Haml's Rails support to be changed, I suggest you to let Rails change the behavior first.

[mockdeep]

This seems like a breaking change. We've got a bunch of handlebars style templates in our haml and upgrading causes quite a bit of breakage in our app:

- class_name = "requested-field {{= required ? 'required' : '' }}".html_safe
%div{ class: class_name }

the 'required' is becoming 'required'