[Haml] Try enabling XSS integration after all Rails plugins are loaded.

Closes gh-49
2009-10-29 13:27:24 -07:00 · 2009-10-29 13:27:24 -07:00 · 0193edf05a
parent 5d7e90c2b4
commit 0193edf05a
2 changed files with 33 additions and 13 deletions
--- a/doc-src/HAML_CHANGELOG.md
+++ b/doc-src/HAML_CHANGELOG.md
@ -8,6 +8,15 @@
 * Fixed a bug where elements with dynamic attributes and no content
  would have too much whitespace between the opening and closing tag.

+* Changed `rails/init.rb` away from loading `init.rb` and instead
+  have it basically copy the content.
+  This allows us to transfer the proper binding to `Haml.init_rails`.
+
+* Make sure Haml only tries to enable XSS protection integration
+  once all other plugins are loaded.
+  This allows it to work properly when Haml is a gem
+  and the `rails_xss` plugin is being used.
+
 ## [2.2.9](http://github.com/nex3/haml/commit/2.2.9)

 * Fixed a bug where Haml's text was concatenated to the wrong buffer
--- a/lib/haml/template.rb
+++ b/lib/haml/template.rb
@ -11,6 +11,23 @@ module Haml
    #
    # @return [Hash<Symbol, Object>]
    attr_accessor :options
+
+    # Enables integration with the Rails 2.2.5+ XSS protection,
+    # if it's available and enabled.
+    #
+    # @return [Boolean] Whether the XSS integration was enabled.
+    def try_enabling_xss_integration
+      return false unless ActionView::Base.respond_to?(:xss_safe?) && ActionView::Base.xss_safe?
+
+      Haml::Template.options[:escape_html] = true
+
+      Haml::Util.module_eval {def rails_xss_safe?; true; end}
+
+      require 'haml/helpers/xss_mods'
+      Haml::Helpers.send(:include, Haml::Helpers::XssMods)
+
+      true
+    end
  end
 end

@ -27,19 +44,13 @@ else
  require 'haml/template/patch'
 end

-if ActionView::Base.respond_to?(:xss_safe?) && ActionView::Base.xss_safe?
-  Haml::Template.options[:escape_html] = true
-
-  module Haml::Util
-    def rails_xss_safe?
-      true
-    end
-  end
-
-  require 'haml/helpers/xss_mods'
-  module Haml::Helpers
-    include XssMods
-  end
+# Enable XSS integration. Use Rails' after_initialize method if possible
+# so that integration will be checked after the rails_xss plugin is loaded
+# (for Rails 2.3.* where it's not enabled by default).
+if defined?(Rails.configuration.after_initialize)
+  Rails.configuration.after_initialize {Haml::Template.try_enabling_xss_integration}
+else
+  Haml::Template.try_enabling_xss_integration
 end

 if defined?(RAILS_ROOT)