[Haml] Fix a bug with haml_tag and Rails XSS.
Closes gh-92
This commit is contained in:
parent
87ccc14524
commit
60fec9969b
|
@ -14,6 +14,9 @@
|
|||
* Fix a bug where calls to ActionView's `render` method
|
||||
with blocks and layouts wouldn't work under the Rails 3.0 beta.
|
||||
|
||||
* Fix a bug where the closing tags of nested calls to \{Haml::Helpers#haml\_concat}
|
||||
were improperly escaped under the Rails 3.0 beta.
|
||||
|
||||
## 2.2.19
|
||||
|
||||
[Tagged on GitHub](http://github.com/nex3/haml/commit/2.2.19).
|
||||
|
|
|
@ -45,10 +45,10 @@ module Haml
|
|||
# @yield A block in which all input to `#haml_concat` is treated as raw.
|
||||
# @see Haml::Util#rails_xss_safe?
|
||||
def with_raw_haml_concat
|
||||
@_haml_concat_raw = true
|
||||
@_haml_concat_raw, old = true, @_haml_concat_raw
|
||||
yield
|
||||
ensure
|
||||
@_haml_concat_raw = false
|
||||
@_haml_concat_raw = old
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -309,6 +309,20 @@ END
|
|||
|
||||
## Regression
|
||||
|
||||
def test_xss_protection_with_nested_haml_tag
|
||||
assert_equal(<<HTML, render(<<HAML, :action_view))
|
||||
<div>
|
||||
<ul>
|
||||
<li>Content!</li>
|
||||
</ul>
|
||||
</div>
|
||||
HTML
|
||||
- haml_tag :div do
|
||||
- haml_tag :ul do
|
||||
- haml_tag :li, "Content!"
|
||||
HAML
|
||||
end
|
||||
|
||||
def test_xss_protection_with_form_for
|
||||
assert_equal(<<HTML, render(<<HAML, :action_view))
|
||||
<form action="" method="post">
|
||||
|
|
Loading…
Reference in New Issue