New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTML escape interpolated code in filters #770

Merged
merged 1 commit into from Apr 19, 2014

Conversation

Projects
None yet
4 participants
@mattwildig
Member

mattwildig commented Apr 17, 2014

HTML escape any interpolated code if the escape_html option is set.

I’ve used the existing :escape_html option rather than creating a new option. Does anyone think there should be separate options?

HTML escape interpolated code in filters
HTML escape any interpolated code if the escape_html option is set.
@mattwildig

This comment has been minimized.

Show comment
Hide comment
@mattwildig

mattwildig Apr 17, 2014

Member

If you’re using bundler you should be able to test this with:

gem 'haml', :github => 'haml', 'branch' => 'escape-filter-interpolation'
Member

mattwildig commented Apr 17, 2014

If you’re using bundler you should be able to test this with:

gem 'haml', :github => 'haml', 'branch' => 'escape-filter-interpolation'
@teeparham

This comment has been minimized.

Show comment
Hide comment
@teeparham

teeparham Apr 19, 2014

Member

Using the existing :escape_html option makes sense to me. Merging.

Member

teeparham commented Apr 19, 2014

Using the existing :escape_html option makes sense to me. Merging.

teeparham added a commit that referenced this pull request Apr 19, 2014

Merge pull request #770 from haml/escape-filter-interpolation
HTML escape interpolated code in filters

@teeparham teeparham merged commit 2630344 into master Apr 19, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details

@teeparham teeparham deleted the escape-filter-interpolation branch Apr 19, 2014

@ianpurvis

This comment has been minimized.

Show comment
Hide comment
@ianpurvis

ianpurvis May 18, 2017

Hello, could you recommend the upgrade path for filters such as

:javascript
  new Page(#{javascript_params.to_json});

Seems I can't move forward without re-architecting my app to initialize via data attributes?

ianpurvis commented May 18, 2017

Hello, could you recommend the upgrade path for filters such as

:javascript
  new Page(#{javascript_params.to_json});

Seems I can't move forward without re-architecting my app to initialize via data attributes?

@myabc

This comment has been minimized.

Show comment
Hide comment
@myabc

myabc May 29, 2017

@ianpurvis have you tried the following?

:javascript
  new Page(#{raw javascript_params.to_json});

myabc commented May 29, 2017

@ianpurvis have you tried the following?

:javascript
  new Page(#{raw javascript_params.to_json});
@ianpurvis

This comment has been minimized.

Show comment
Hide comment
@ianpurvis

ianpurvis Jun 2, 2017

@myabc Thanks! That works great. ✌️

ianpurvis commented Jun 2, 2017

@myabc Thanks! That works great. ✌️

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Jun 21, 2017

taca
Update ruby-haml to 5.0.1
## 5.0.1

Released on May 3, 2017
([diff](haml/haml@v5.0.0...v5.0.1)).

* Fix parsing attributes including string interpolation. [#917](haml/haml#917) [#921](haml/haml#921)
* Stop distributing test files in gem package and allow installing on Windows.
* Use ActionView's Erubi/Erubis handler for erb filter only on ActionView. [#914](haml/haml#914)

## 5.0.0

Released on April 26, 2017
([diff](haml/haml@4.0.7...v5.0.0)).

Breaking Changes

* Haml now requires Ruby 2.0.0 or above.
* Rails 3 is no longer supported, matching the official
  [Maintenance Policy for Ruby on Rails](http://weblog.rubyonrails.org/2013/2/24/maintenance-policy-for-ruby-on-rails/).
  (Tee Parham)
* The `haml` command's debug option (`-d`) no longer executes the Haml code, but
  rather checks the generated Ruby syntax for errors.
* Drop parser/compiler accessor from `Haml::Engine`. Modify `Haml::Engine#initialize` options
  or `Haml::Template.options` instead. (Takashi Kokubun)
* Drop dynamic quotes support and always escape `'` for `escape_html`/`escape_attrs` instead.
  Also, escaped results are slightly changed and always unified to the same characters. (Takashi Kokubun)
* Don't preserve newlines in attributes. (Takashi Kokubun)
* HTML escape interpolated code in filters.
  [#770](haml/haml#770)
  (Matt Wildig)

        :javascript
          #{JSON.generate(foo: "bar")}
        Haml 4 output: {"foo":"bar"}
        Haml 5 output: {"foo":"bar"}

Added

* Add a tracing option. When enabled, Haml will output a data-trace attribute on each tag showing the path
  to the source Haml file from which it was generated. Thanks [Alex Babkin](https://github.com/ababkin).
* Add `haml_tag_if` to render a block, conditionally wrapped in another element (Matt Wildig)
* Support Rails 5.1 Erubi template handler.
* Support Sprockets 3. Thanks [Sam Davies](https://github.com/samphilipd) and [Jeremy Venezia](https://github.com/jvenezia).
* General performance and memory usage improvements. (Akira Matsuda)
* Analyze attribute values by Ripper and render static attributes beforehand. (Takashi Kokubun)
* Optimize attribute rendering about 3x faster. (Takashi Kokubun)
* Add temple gem as dependency and create `Haml::TempleEngine` class.
  Some methods in `Haml::Compiler` are migrated to `Haml::TempleEngine`. (Takashi Kokubun)

Fixed

* Fix for attribute merging. When an attribute method (or literal nested hash)
  was used in an old style attribute hash and there is also a (non-static) new
  style hash there is an error. The fix can result in different behavior in
  some circumstances. See the [commit message](https://github.com/haml/haml/tree/e475b015d3171fb4c4f140db304f7970c787d6e3)
  for detailed info. (Matt Wildig)
* Make escape_once respect hexadecimal references. (Matt Wildig)
* Don't treat the 'data' attribute specially when merging attribute hashes. (Matt Wildig and Norman Clarke)
* Fix #@foo and #$foo style interpolation that was not working in html_safe mode. (Akira Matsuda)
* Allow `@` as tag's class name. Thanks [Joe Bartlett](https://github.com/redoPop).
* Raise `Haml::InvalidAttributeNameError` when attribute name includes invalid characters. (Takashi Kokubun)
* Don't ignore unexpected exceptions on initializing `ActionView::OutputBuffer`. (Takashi Kokubun)

jsonn pushed a commit to jsonn/pkgsrc that referenced this pull request Jun 21, 2017

taca
Update ruby-haml to 5.0.1
## 5.0.1

Released on May 3, 2017
([diff](haml/haml@v5.0.0...v5.0.1)).

* Fix parsing attributes including string interpolation. [#917](haml/haml#917) [#921](haml/haml#921)
* Stop distributing test files in gem package and allow installing on Windows.
* Use ActionView's Erubi/Erubis handler for erb filter only on ActionView. [#914](haml/haml#914)

## 5.0.0

Released on April 26, 2017
([diff](haml/haml@4.0.7...v5.0.0)).

Breaking Changes

* Haml now requires Ruby 2.0.0 or above.
* Rails 3 is no longer supported, matching the official
  [Maintenance Policy for Ruby on Rails](http://weblog.rubyonrails.org/2013/2/24/maintenance-policy-for-ruby-on-rails/).
  (Tee Parham)
* The `haml` command's debug option (`-d`) no longer executes the Haml code, but
  rather checks the generated Ruby syntax for errors.
* Drop parser/compiler accessor from `Haml::Engine`. Modify `Haml::Engine#initialize` options
  or `Haml::Template.options` instead. (Takashi Kokubun)
* Drop dynamic quotes support and always escape `'` for `escape_html`/`escape_attrs` instead.
  Also, escaped results are slightly changed and always unified to the same characters. (Takashi Kokubun)
* Don't preserve newlines in attributes. (Takashi Kokubun)
* HTML escape interpolated code in filters.
  [#770](haml/haml#770)
  (Matt Wildig)

        :javascript
          #{JSON.generate(foo: "bar")}
        Haml 4 output: {"foo":"bar"}
        Haml 5 output: {"foo":"bar"}

Added

* Add a tracing option. When enabled, Haml will output a data-trace attribute on each tag showing the path
  to the source Haml file from which it was generated. Thanks [Alex Babkin](https://github.com/ababkin).
* Add `haml_tag_if` to render a block, conditionally wrapped in another element (Matt Wildig)
* Support Rails 5.1 Erubi template handler.
* Support Sprockets 3. Thanks [Sam Davies](https://github.com/samphilipd) and [Jeremy Venezia](https://github.com/jvenezia).
* General performance and memory usage improvements. (Akira Matsuda)
* Analyze attribute values by Ripper and render static attributes beforehand. (Takashi Kokubun)
* Optimize attribute rendering about 3x faster. (Takashi Kokubun)
* Add temple gem as dependency and create `Haml::TempleEngine` class.
  Some methods in `Haml::Compiler` are migrated to `Haml::TempleEngine`. (Takashi Kokubun)

Fixed

* Fix for attribute merging. When an attribute method (or literal nested hash)
  was used in an old style attribute hash and there is also a (non-static) new
  style hash there is an error. The fix can result in different behavior in
  some circumstances. See the [commit message](https://github.com/haml/haml/tree/e475b015d3171fb4c4f140db304f7970c787d6e3)
  for detailed info. (Matt Wildig)
* Make escape_once respect hexadecimal references. (Matt Wildig)
* Don't treat the 'data' attribute specially when merging attribute hashes. (Matt Wildig and Norman Clarke)
* Fix #@foo and #$foo style interpolation that was not working in html_safe mode. (Akira Matsuda)
* Allow `@` as tag's class name. Thanks [Joe Bartlett](https://github.com/redoPop).
* Raise `Haml::InvalidAttributeNameError` when attribute name includes invalid characters. (Takashi Kokubun)
* Don't ignore unexpected exceptions on initializing `ActionView::OutputBuffer`. (Takashi Kokubun)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment