Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTML escape interpolated code in filters #770

Merged
merged 1 commit into from Apr 19, 2014
Merged

Conversation

@mattwildig
Copy link
Contributor

@mattwildig mattwildig commented Apr 17, 2014

HTML escape any interpolated code if the escape_html option is set.

I’ve used the existing :escape_html option rather than creating a new option. Does anyone think there should be separate options?

HTML escape any interpolated code if the escape_html option is set.
@mattwildig
Copy link
Contributor Author

@mattwildig mattwildig commented Apr 17, 2014

If you’re using bundler you should be able to test this with:

gem 'haml', :github => 'haml', 'branch' => 'escape-filter-interpolation'
@teeparham
Copy link
Member

@teeparham teeparham commented Apr 19, 2014

Using the existing :escape_html option makes sense to me. Merging.

teeparham added a commit that referenced this pull request Apr 19, 2014
HTML escape interpolated code in filters
@teeparham teeparham merged commit 2630344 into master Apr 19, 2014
1 check passed
1 check passed
continuous-integration/travis-ci The Travis CI build passed
Details
@teeparham teeparham deleted the escape-filter-interpolation branch Apr 19, 2014
@ianpurvis
Copy link

@ianpurvis ianpurvis commented May 18, 2017

Hello, could you recommend the upgrade path for filters such as

:javascript
  new Page(#{javascript_params.to_json});

Seems I can't move forward without re-architecting my app to initialize via data attributes?

@myabc
Copy link

@myabc myabc commented May 29, 2017

@ianpurvis have you tried the following?

:javascript
  new Page(#{raw javascript_params.to_json});
@ianpurvis
Copy link

@ianpurvis ianpurvis commented Jun 2, 2017

@myabc Thanks! That works great. ✌️

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Jun 21, 2017
## 5.0.1

Released on May 3, 2017
([diff](haml/haml@v5.0.0...v5.0.1)).

* Fix parsing attributes including string interpolation. [#917](haml/haml#917) [#921](haml/haml#921)
* Stop distributing test files in gem package and allow installing on Windows.
* Use ActionView's Erubi/Erubis handler for erb filter only on ActionView. [#914](haml/haml#914)

## 5.0.0

Released on April 26, 2017
([diff](haml/haml@4.0.7...v5.0.0)).

Breaking Changes

* Haml now requires Ruby 2.0.0 or above.
* Rails 3 is no longer supported, matching the official
  [Maintenance Policy for Ruby on Rails](http://weblog.rubyonrails.org/2013/2/24/maintenance-policy-for-ruby-on-rails/).
  (Tee Parham)
* The `haml` command's debug option (`-d`) no longer executes the Haml code, but
  rather checks the generated Ruby syntax for errors.
* Drop parser/compiler accessor from `Haml::Engine`. Modify `Haml::Engine#initialize` options
  or `Haml::Template.options` instead. (Takashi Kokubun)
* Drop dynamic quotes support and always escape `'` for `escape_html`/`escape_attrs` instead.
  Also, escaped results are slightly changed and always unified to the same characters. (Takashi Kokubun)
* Don't preserve newlines in attributes. (Takashi Kokubun)
* HTML escape interpolated code in filters.
  [#770](haml/haml#770)
  (Matt Wildig)

        :javascript
          #{JSON.generate(foo: "bar")}
        Haml 4 output: {"foo":"bar"}
        Haml 5 output: {"foo":"bar"}

Added

* Add a tracing option. When enabled, Haml will output a data-trace attribute on each tag showing the path
  to the source Haml file from which it was generated. Thanks [Alex Babkin](https://github.com/ababkin).
* Add `haml_tag_if` to render a block, conditionally wrapped in another element (Matt Wildig)
* Support Rails 5.1 Erubi template handler.
* Support Sprockets 3. Thanks [Sam Davies](https://github.com/samphilipd) and [Jeremy Venezia](https://github.com/jvenezia).
* General performance and memory usage improvements. (Akira Matsuda)
* Analyze attribute values by Ripper and render static attributes beforehand. (Takashi Kokubun)
* Optimize attribute rendering about 3x faster. (Takashi Kokubun)
* Add temple gem as dependency and create `Haml::TempleEngine` class.
  Some methods in `Haml::Compiler` are migrated to `Haml::TempleEngine`. (Takashi Kokubun)

Fixed

* Fix for attribute merging. When an attribute method (or literal nested hash)
  was used in an old style attribute hash and there is also a (non-static) new
  style hash there is an error. The fix can result in different behavior in
  some circumstances. See the [commit message](https://github.com/haml/haml/tree/e475b015d3171fb4c4f140db304f7970c787d6e3)
  for detailed info. (Matt Wildig)
* Make escape_once respect hexadecimal references. (Matt Wildig)
* Don't treat the 'data' attribute specially when merging attribute hashes. (Matt Wildig and Norman Clarke)
* Fix #@foo and #$foo style interpolation that was not working in html_safe mode. (Akira Matsuda)
* Allow `@` as tag's class name. Thanks [Joe Bartlett](https://github.com/redoPop).
* Raise `Haml::InvalidAttributeNameError` when attribute name includes invalid characters. (Takashi Kokubun)
* Don't ignore unexpected exceptions on initializing `ActionView::OutputBuffer`. (Takashi Kokubun)
jsonn pushed a commit to jsonn/pkgsrc that referenced this pull request Jun 21, 2017
## 5.0.1

Released on May 3, 2017
([diff](haml/haml@v5.0.0...v5.0.1)).

* Fix parsing attributes including string interpolation. [#917](haml/haml#917) [#921](haml/haml#921)
* Stop distributing test files in gem package and allow installing on Windows.
* Use ActionView's Erubi/Erubis handler for erb filter only on ActionView. [#914](haml/haml#914)

## 5.0.0

Released on April 26, 2017
([diff](haml/haml@4.0.7...v5.0.0)).

Breaking Changes

* Haml now requires Ruby 2.0.0 or above.
* Rails 3 is no longer supported, matching the official
  [Maintenance Policy for Ruby on Rails](http://weblog.rubyonrails.org/2013/2/24/maintenance-policy-for-ruby-on-rails/).
  (Tee Parham)
* The `haml` command's debug option (`-d`) no longer executes the Haml code, but
  rather checks the generated Ruby syntax for errors.
* Drop parser/compiler accessor from `Haml::Engine`. Modify `Haml::Engine#initialize` options
  or `Haml::Template.options` instead. (Takashi Kokubun)
* Drop dynamic quotes support and always escape `'` for `escape_html`/`escape_attrs` instead.
  Also, escaped results are slightly changed and always unified to the same characters. (Takashi Kokubun)
* Don't preserve newlines in attributes. (Takashi Kokubun)
* HTML escape interpolated code in filters.
  [#770](haml/haml#770)
  (Matt Wildig)

        :javascript
          #{JSON.generate(foo: "bar")}
        Haml 4 output: {"foo":"bar"}
        Haml 5 output: {"foo":"bar"}

Added

* Add a tracing option. When enabled, Haml will output a data-trace attribute on each tag showing the path
  to the source Haml file from which it was generated. Thanks [Alex Babkin](https://github.com/ababkin).
* Add `haml_tag_if` to render a block, conditionally wrapped in another element (Matt Wildig)
* Support Rails 5.1 Erubi template handler.
* Support Sprockets 3. Thanks [Sam Davies](https://github.com/samphilipd) and [Jeremy Venezia](https://github.com/jvenezia).
* General performance and memory usage improvements. (Akira Matsuda)
* Analyze attribute values by Ripper and render static attributes beforehand. (Takashi Kokubun)
* Optimize attribute rendering about 3x faster. (Takashi Kokubun)
* Add temple gem as dependency and create `Haml::TempleEngine` class.
  Some methods in `Haml::Compiler` are migrated to `Haml::TempleEngine`. (Takashi Kokubun)

Fixed

* Fix for attribute merging. When an attribute method (or literal nested hash)
  was used in an old style attribute hash and there is also a (non-static) new
  style hash there is an error. The fix can result in different behavior in
  some circumstances. See the [commit message](https://github.com/haml/haml/tree/e475b015d3171fb4c4f140db304f7970c787d6e3)
  for detailed info. (Matt Wildig)
* Make escape_once respect hexadecimal references. (Matt Wildig)
* Don't treat the 'data' attribute specially when merging attribute hashes. (Matt Wildig and Norman Clarke)
* Fix #@foo and #$foo style interpolation that was not working in html_safe mode. (Akira Matsuda)
* Allow `@` as tag's class name. Thanks [Joe Bartlett](https://github.com/redoPop).
* Raise `Haml::InvalidAttributeNameError` when attribute name includes invalid characters. (Takashi Kokubun)
* Don't ignore unexpected exceptions on initializing `ActionView::OutputBuffer`. (Takashi Kokubun)
@marcandre
Copy link

@marcandre marcandre commented Apr 22, 2020

For anyone stumbling here, there is an alternative solution to @myabc's: it is now possible to set options.escape_filter_interpolations to false (#984) to revert the behavior 🎉

@ireneybean ireneybean mentioned this pull request Sep 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
You can’t perform that action at this time.