module Haml::Helpers::XssMods

This module overrides Haml helpers to work properly in the context of ActionView. Currently it's only used for modifying the helpers to work with Rails' XSS protection methods.

Public Class Methods

included(base) click to toggle source

# File lib/haml/helpers/xss_mods.rb, line 10
def self.included(base)
  %w[html_escape find_and_preserve preserve list_of surround
     precede succeed capture_haml haml_concat haml_internal_concat haml_indent
     escape_once].each do |name|
    base.send(:alias_method, "#{name}_without_haml_xss", name)
    base.send(:alias_method, name, "#{name}_with_haml_xss")
  end
end

Public Instance Methods

capture_haml_with_haml_xss(*args, &block) click to toggle source

Output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 62
def capture_haml_with_haml_xss(*args, &block)
  Haml::Util.html_safe(capture_haml_without_haml_xss(*args, &block))
end

escape_once_with_haml_xss(*args) click to toggle source

Output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 90
def escape_once_with_haml_xss(*args)
  Haml::Util.html_safe(escape_once_without_haml_xss(*args))
end

find_and_preserve_with_haml_xss(*args, &block) click to toggle source

Output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 28
def find_and_preserve_with_haml_xss(*args, &block)
  Haml::Util.html_safe(find_and_preserve_without_haml_xss(*args, &block))
end

haml_concat_with_haml_xss(text = "") click to toggle source

Input will be escaped unless this is in a `with_raw_haml_concat` block. See #Haml::Helpers::ActionViewExtensions#with_raw_haml_concat.

# File lib/haml/helpers/xss_mods.rb, line 68
def haml_concat_with_haml_xss(text = "")
  raw = instance_variable_defined?(:@_haml_concat_raw) ? @_haml_concat_raw : false
  if raw
    haml_internal_concat_raw text
  else
    haml_internal_concat text
  end
  ErrorReturn.new("haml_concat")
end

haml_indent_with_haml_xss() click to toggle source

Output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 85
def haml_indent_with_haml_xss
  Haml::Util.html_safe(haml_indent_without_haml_xss)
end

html_escape_with_haml_xss(text) click to toggle source

Don't escape text that's already safe, output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 21
def html_escape_with_haml_xss(text)
  str = text.to_s
  return text if str.html_safe?
  Haml::Util.html_safe(html_escape_without_haml_xss(str))
end

list_of_with_haml_xss(*args, &block) click to toggle source

Output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 38
def list_of_with_haml_xss(*args, &block)
  Haml::Util.html_safe(list_of_without_haml_xss(*args, &block))
end

precede_with_haml_xss(str, &block) click to toggle source

Input is escaped, output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 52
def precede_with_haml_xss(str, &block)
  Haml::Util.html_safe(precede_without_haml_xss(haml_xss_html_escape(str), &block))
end

preserve_with_haml_xss(*args, &block) click to toggle source

Output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 33
def preserve_with_haml_xss(*args, &block)
  Haml::Util.html_safe(preserve_without_haml_xss(*args, &block))
end

succeed_with_haml_xss(str, &block) click to toggle source

Input is escaped, output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 57
def succeed_with_haml_xss(str, &block)
  Haml::Util.html_safe(succeed_without_haml_xss(haml_xss_html_escape(str), &block))
end

surround_with_haml_xss(front, back = front, &block) click to toggle source

Input is escaped, output is always HTML safe

# File lib/haml/helpers/xss_mods.rb, line 43
def surround_with_haml_xss(front, back = front, &block)
  Haml::Util.html_safe(
    surround_without_haml_xss(
      haml_xss_html_escape(front),
      haml_xss_html_escape(back),
      &block))
end

Private Instance Methods

haml_internal_concat_with_haml_xss(text="", newline=true, indent=true) click to toggle source

Input is escaped

# File lib/haml/helpers/xss_mods.rb, line 79
def haml_internal_concat_with_haml_xss(text="", newline=true, indent=true)
  haml_internal_concat_without_haml_xss(haml_xss_html_escape(text), newline, indent)
end

haml_xss_html_escape(text) click to toggle source

Escapes the HTML in the text if and only if Rails XSS protection is enabled and the `:escape_html` option is set.

# File lib/haml/helpers/xss_mods.rb, line 98
def haml_xss_html_escape(text)
  return text unless Haml::Util.rails_xss_safe? && haml_buffer.options[:escape_html]
  html_escape(text)
end