Merge branch 'stable'

lib/haml/helpers/action_view_mods.rb

@@ -26,7 +26,8 @@ module ActionView
 
       def set_output_buffer_with_haml(new)
         if is_haml?
-          new = String.new(new) if Haml::Util.rails_xss_safe? && new.is_a?(ActionView::SafeBuffer)
+          new = String.new(new) if Haml::Util.rails_xss_safe? &&
+            new.is_a?(Haml::Util.rails_safe_buffer_class)
           haml_buffer.buffer = new
         else
           set_output_buffer_without_haml new

lib/haml/helpers/xss_mods.rb

@@ -19,45 +19,46 @@ module Haml
       def html_escape_with_haml_xss(text)
         str = text.to_s
         return text if str.html_safe?
-        html_escape_without_haml_xss(str).html_safe!
+        Haml::Util.html_safe(html_escape_without_haml_xss(str))
       end
 
       # Output is always HTML safe
       def find_and_preserve_with_haml_xss(*args, &block)
-        find_and_preserve_without_haml_xss(*args, &block).html_safe!
+        Haml::Util.html_safe(find_and_preserve_without_haml_xss(*args, &block))
       end
 
       # Output is always HTML safe
       def preserve_with_haml_xss(*args, &block)
-        preserve_without_haml_xss(*args, &block).html_safe!
+        Haml::Util.html_safe(preserve_without_haml_xss(*args, &block))
       end
 
       # Output is always HTML safe
       def list_of_with_haml_xss(*args, &block)
-        list_of_without_haml_xss(*args, &block).html_safe!
+        Haml::Util.html_safe(list_of_without_haml_xss(*args, &block))
       end
 
       # Input is escaped, output is always HTML safe
       def surround_with_haml_xss(front, back = front, &block)
-        surround_without_haml_xss(
-          haml_xss_html_escape(front),
-          haml_xss_html_escape(back),
-          &block).html_safe!
+        Haml::Util.html_safe(
+          surround_without_haml_xss(
+            haml_xss_html_escape(front),
+            haml_xss_html_escape(back),
+            &block))
       end
 
       # Input is escaped, output is always HTML safe
       def precede_with_haml_xss(str, &block)
-        precede_without_haml_xss(haml_xss_html_escape(str), &block).html_safe!
+        Haml::Util.html_safe(precede_without_haml_xss(haml_xss_html_escape(str), &block))
       end
 
       # Input is escaped, output is always HTML safe
       def succeed_with_haml_xss(str, &block)
-        succeed_without_haml_xss(haml_xss_html_escape(str), &block).html_safe!
+        Haml::Util.html_safe(succeed_without_haml_xss(haml_xss_html_escape(str), &block))
       end
 
       # Output is always HTML safe
       def capture_haml_with_haml_xss(*args, &block)
-        capture_haml_without_haml_xss(*args, &block).html_safe!
+        Haml::Util.html_safe(capture_haml_without_haml_xss(*args, &block))
       end
 
       # Input is escaped
@@ -67,7 +68,7 @@ module Haml
 
       # Output is always HTML safe
       def haml_indent_with_haml_xss
-        haml_indent_without_haml_xss.html_safe!
+        Haml::Util.html_safe(haml_indent_without_haml_xss)
       end
 
       # Input is escaped, haml_concat'ed output is always HTML safe
@@ -79,7 +80,7 @@ module Haml
 
       # Output is always HTML safe
       def escape_once_with_haml_xss(*args)
-        escape_once_without_haml_xss(*args).html_safe!
+        Haml::Util.html_safe(escape_once_without_haml_xss(*args))
       end
 
       private
@@ -93,3 +94,32 @@ module Haml
     end
   end
 end
+
+module ActionView
+  module Helpers
+    module TextHelper
+      def concat_with_haml(string)
+        if is_haml?
+          haml_buffer.buffer.concat(haml_xss_html_escape(string))
+        else
+          concat_without_haml(string)
+        end
+      end
+      alias_method :concat_without_haml, :concat
+      alias_method :concat, :concat_with_haml
+
+      # safe_concat was introduced in Rails 3.0
+      if Haml::Util.has?(:instance_method, self, :safe_concat)
+        def safe_concat_with_haml(string)
+          if is_haml?
+            haml_buffer.buffer.concat(string)
+          else
+            concat_without_haml(string)
+          end
+        end
+        alias_method :safe_concat_without_haml, :safe_concat
+        alias_method :safe_concat, :safe_concat_with_haml
+      end
+    end
+  end
+end

lib/haml/template.rb

@@ -28,7 +28,7 @@ module Haml
 
       Haml::Precompiler.module_eval do
         def precompiled_method_return_value_with_haml_xss
-          "(#{precompiled_method_return_value_without_haml_xss}).html_safe!"
+          "::Haml::Util.html_safe(#{precompiled_method_return_value_without_haml_xss})"
         end
         alias_method :precompiled_method_return_value_without_haml_xss, :precompiled_method_return_value
         alias_method :precompiled_method_return_value, :precompiled_method_return_value_with_haml_xss

lib/haml/util.rb

@@ -203,6 +203,17 @@ module Haml
       false
     end
 
+    # Returns the given text, marked as being HTML-safe.
+    # With older versions of the Rails XSS-safety mechanism,
+    # this destructively modifies the HTML-safety of `text`.
+    #
+    # @param text [String]
+    # @return [String] `text`, marked as HTML-safe
+    def html_safe(text)
+      return text.html_safe if defined?(ActiveSupport::SafeBuffer)
+      text.html_safe!
+    end
+
     # Assert that a given object (usually a String) is HTML safe
     # according to Rails' XSS handling, if it's loaded.
     #
@@ -212,6 +223,11 @@ module Haml
       raise Haml::Error.new("Expected #{text.inspect} to be HTML-safe.")
     end
 
+    def rails_safe_buffer_class
+      return ActionView::SafeBuffer if defined?(ActionView::SafeBuffer)
+      ActiveSupport::SafeBuffer
+    end
+
     ## Cross-Ruby-Version Compatibility
 
     # Whether or not this is running under Ruby 1.8 or lower.

test/haml/template_test.rb

@@ -258,7 +258,7 @@ END
     end
 
     def test_xss_protection_with_safe_strings
-      assert_equal("Foo & Bar\n", render('= "Foo & Bar".html_safe!', :action_view))
+      assert_equal("Foo & Bar\n", render('= Haml::Util.html_safe("Foo & Bar")', :action_view))
     end
 
     def test_xss_protection_with_bang
@@ -274,11 +274,11 @@ END
     end
 
     def test_xss_protection_with_safe_strings_in_interpolation
-      assert_equal("Foo & Bar\n", render('Foo #{"&".html_safe!} Bar', :action_view))
+      assert_equal("Foo & Bar\n", render('Foo #{Haml::Util.html_safe("&")} Bar', :action_view))
     end
 
     def test_xss_protection_with_mixed_strings_in_interpolation
-      assert_equal("Foo & Bar & Baz\n", render('Foo #{"&".html_safe!} Bar #{"&"} Baz', :action_view))
+      assert_equal("Foo & Bar & Baz\n", render('Foo #{Haml::Util.html_safe("&")} Bar #{"&"} Baz', :action_view))
     end
 
     def test_rendered_string_is_html_safe
@@ -292,5 +292,19 @@ END
     def test_xss_html_escaping_with_non_strings
       assert_equal("4\n", render("= html_escape(4)"))
     end
+
+    def test_xss_protection_with_concat
+      assert_equal("Foo & Bar", render('- concat "Foo & Bar"', :action_view))
+    end
+
+    def test_xss_protection_with_concat_with_safe_string
+      assert_equal("Foo & Bar", render('- concat(Haml::Util.html_safe("Foo & Bar"))', :action_view))
+    end
+
+    if Haml::Util.has?(:instance_method, ActionView::Helpers::TextHelper, :safe_concat)
+      def test_xss_protection_with_safe_concat
+        assert_equal("Foo & Bar", render('- safe_concat "Foo & Bar"', :action_view))
+      end
+    end
   end
 end