Document the HTML-escaping functionality.

2022-11-09 12:33:31 -05:00 · 2008-03-16 15:40:53 -07:00 · 2008-03-16 15:40:53 -07:00 · 30138e7a15
commit 30138e7a15
parent 891f39ce4c
1 changed files with 50 additions and 1 deletions
--- a/lib/haml.rb
+++ b/lib/haml.rb
@ -252,7 +252,7 @@ $LOAD_PATH << dir unless $LOAD_PATH.include?(dir)
 # For example:
 # 
 #   %br/
-#   %meta{'http-equiv' => 'Content-Type', :content => 'text/html'}/
+#   %meta{'http-euiv' => 'Content-Type', :content => 'text/html'}/
 # 
 # is compiled to:
 # 
@ -633,6 +633,15 @@ $LOAD_PATH << dir unless $LOAD_PATH.include?(dir)
 #     yo
 #   </p>
 #
+# If the <tt>:escape_html</tt> option is set,
+# = will sanitize any HTML-sensitive characters generated by the script.
+# For example:
+#
+#   = '<script>alert("I\'m evil!");</script>'
+#
+# would be compiled to
+#
+#   &lt;script&gt;alert(&quot;I'm evil!&quot;);&lt;/script&gt;
 # 
 # ==== -
 # 
@ -685,6 +694,40 @@ $LOAD_PATH << dir unless $LOAD_PATH.include?(dir)
 #    \\ Look at \yon lack of backslash: #{foo}
 #  </p>
 #
+# ==== &=
+#
+# An ampersand followed by an equals character
+# evaluates Ruby code just like the single equals,
+# but sanitizes any HTML-sensitive characters in the result of the code.
+# For example:
+#
+#   &= "I like cheese & crackers"
+#
+# compiles to
+#
+#   I like cheese &amp; crackers
+#
+# If the <tt>:escape_html</tt> option is set,
+# &= behaves identically to =.
+#
+# ==== !=
+#
+# An exclamation mark followed by an equals character
+# evaluates Ruby code just like the single equals,
+# but never sanitizes the HTML.
+#
+# By default, the single equals doesn't sanitize HTML either.
+# However, if the <tt>:escape_html</tt> option is set, = will sanitize the HTML, but != still won't.
+# For example, if <tt>:escape_html</tt> is set:
+#
+#   = "I feel <strong>!"
+#   != "I feel <strong>!"
+#
+# compiles to
+#
+#   I feel &lt;strong&gt;!
+#   I feel <strong>!
+#
 # ===== Blocks
 # 
 # Ruby blocks, like XHTML tags, don't need to be explicitly closed in Haml.
@ -789,6 +832,12 @@ $LOAD_PATH << dir unless $LOAD_PATH.include?(dir)
 #                           identical to :xhtml except there are no self-closing tags,
 #                           XML prolog is ignored and correct DOCTYPEs are generated.
 #
+# [<tt>:escape_html</tt>]   Sets whether or not to escape HTML-sensitive characters in script.
+#                           If this is true, = behaves like &=;
+#                           otherwise, it behaves like !=.
+#                           <b>Note that this doesn't affect attributes or == interpolation.</b>
+#                           Defaults to false.
+#
 # [<tt>:suppress_eval</tt>] Whether or not attribute hashes and Ruby scripts
 #                           designated by <tt>=</tt> or <tt>~</tt> should be
 #                           evaluated. If this is true, said scripts are