Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

haml6 & string interpolation escapes #1084

Closed
jdelStrother opened this issue Sep 22, 2022 · 3 comments
Closed

haml6 & string interpolation escapes #1084

jdelStrother opened this issue Sep 22, 2022 · 3 comments

Comments

@jdelStrother
Copy link
Contributor

Thanks for haml6! But I'm puzzled by a change we're seeing with it in our Rails 7.0.3 app. A template like this:

%div
  %p= link_to "link1", "/"
  %p click #{link_to "link2", "/"}

Generates this html in haml 5.2.2:

<div>
<p><a href="/">link1</a></p>
<p>click <a href="/">link2</a></p>
</div>

But generates this html in haml 6.0.0:

<div>
<p><a href="/">link1</a></p>
<p>click &lt;a href=&quot;/&quot;&gt;link2&lt;/a&gt;</p>
</div>

Should we still be able to use foo #{html_safe_string} bar without html_safe_string getting over-escaped?

@jdelStrother
Copy link
Contributor Author

Possibly in haml/util.rb it should be something like this?

    def unescape_interpolation(str, escape_html = nil)
      res = ''.dup
      rest = Haml::Util.handle_interpolation str.dump do |scan|
        escapes = (scan[2].size - 1) / 2
        char = scan[3] # '{', '@' or '$'
        res << scan.matched[0...-3 - escapes]
        if escapes % 2 == 1
          res << "\##{char}"
        else
          interpolated = if char == '{'
            balance(scan, ?{, ?}, 1)[0][0...-1]
          else
            scan.scan(/\w+/)
          end
          content = eval("\"#{interpolated}\"")
          content = "#{char}#{content}" if char == '@' || char == '$'
-          content = "CGI.escapeHTML((#{content}).to_s)" if escape_html
+          content = "Haml::Util.escape_html_safe((#{content}).to_s)" if escape_html

          res << "\#{#{content}}"
        end
      end
      res + rest
    end

@k0kubun
Copy link
Member

k0kubun commented Sep 23, 2022

I'll need more time to work on a better solution, but I accepted your patch for now. Thank you!

@k0kubun
Copy link
Member

k0kubun commented Sep 23, 2022

Released as v6.0.1.

freesteph added a commit to betagouv/dsfr-view-components that referenced this issue Dec 28, 2022
And fix the templates since Haml 6.x seems to have changed the way it
handles escaping[1].

[1]: haml/haml#1084
freesteph added a commit to betagouv/dsfr-view-components that referenced this issue Dec 28, 2022
And fix the templates since Haml 6.x seems to have changed the way it
handles escaping[1].

[1]: haml/haml#1084
freesteph added a commit to betagouv/dsfr-view-components that referenced this issue Jan 2, 2023
And fix the templates since Haml 6.x seems to have changed the way it
handles escaping[1].

[1]: haml/haml#1084
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants