From 0193edf05a3a739eda13d2954869b59c17a32026 Mon Sep 17 00:00:00 2001
From: Nathan Weizenbaum <nex342@gmail.com>
Date: Thu, 29 Oct 2009 13:27:24 -0700
Subject: [PATCH 1/2] [Haml] Try enabling XSS integration after all Rails
 plugins are loaded.

Closes gh-49
---
 doc-src/HAML_CHANGELOG.md |  9 +++++++++
 lib/haml/template.rb      | 37 ++++++++++++++++++++++++-------------
 2 files changed, 33 insertions(+), 13 deletions(-)

diff --git a/doc-src/HAML_CHANGELOG.md b/doc-src/HAML_CHANGELOG.md
index 3ded8720..20392112 100644
--- a/doc-src/HAML_CHANGELOG.md
+++ b/doc-src/HAML_CHANGELOG.md
@@ -8,6 +8,15 @@
 * Fixed a bug where elements with dynamic attributes and no content
   would have too much whitespace between the opening and closing tag.
 
+* Changed `rails/init.rb` away from loading `init.rb` and instead
+  have it basically copy the content.
+  This allows us to transfer the proper binding to `Haml.init_rails`.
+
+* Make sure Haml only tries to enable XSS protection integration
+  once all other plugins are loaded.
+  This allows it to work properly when Haml is a gem
+  and the `rails_xss` plugin is being used.
+
 ## [2.2.9](http://github.com/nex3/haml/commit/2.2.9)
 
 * Fixed a bug where Haml's text was concatenated to the wrong buffer
diff --git a/lib/haml/template.rb b/lib/haml/template.rb
index 0cc4031b..abded6dc 100644
--- a/lib/haml/template.rb
+++ b/lib/haml/template.rb
@@ -11,6 +11,23 @@ module Haml
     #
     # @return [Hash<Symbol, Object>]
     attr_accessor :options
+
+    # Enables integration with the Rails 2.2.5+ XSS protection,
+    # if it's available and enabled.
+    #
+    # @return [Boolean] Whether the XSS integration was enabled.
+    def try_enabling_xss_integration
+      return false unless ActionView::Base.respond_to?(:xss_safe?) && ActionView::Base.xss_safe?
+
+      Haml::Template.options[:escape_html] = true
+
+      Haml::Util.module_eval {def rails_xss_safe?; true; end}
+
+      require 'haml/helpers/xss_mods'
+      Haml::Helpers.send(:include, Haml::Helpers::XssMods)
+
+      true
+    end
   end
 end
 
@@ -27,19 +44,13 @@ else
   require 'haml/template/patch'
 end
 
-if ActionView::Base.respond_to?(:xss_safe?) && ActionView::Base.xss_safe?
-  Haml::Template.options[:escape_html] = true
-
-  module Haml::Util
-    def rails_xss_safe?
-      true
-    end
-  end
-
-  require 'haml/helpers/xss_mods'
-  module Haml::Helpers
-    include XssMods
-  end
+# Enable XSS integration. Use Rails' after_initialize method if possible
+# so that integration will be checked after the rails_xss plugin is loaded
+# (for Rails 2.3.* where it's not enabled by default).
+if defined?(Rails.configuration.after_initialize)
+  Rails.configuration.after_initialize {Haml::Template.try_enabling_xss_integration}
+else
+  Haml::Template.try_enabling_xss_integration
 end
 
 if defined?(RAILS_ROOT)

From 60ab39b3aefe9e0f0d5c61a998c78000c0a52a64 Mon Sep 17 00:00:00 2001
From: Nathan Weizenbaum <nex342@gmail.com>
Date: Thu, 29 Oct 2009 14:14:30 -0700
Subject: [PATCH 2/2] [Haml] Mark the return value of the Haml rendering method
 as HTML safe if XSS protection is enabled.

Closes gh-50
---
 doc-src/HAML_CHANGELOG.md  |  3 +++
 lib/haml/engine.rb         |  3 ++-
 lib/haml/precompiler.rb    |  8 +++++++-
 lib/haml/template.rb       |  8 ++++++++
 test/haml/template_test.rb | 11 +++++++++++
 5 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/doc-src/HAML_CHANGELOG.md b/doc-src/HAML_CHANGELOG.md
index 20392112..895757c6 100644
--- a/doc-src/HAML_CHANGELOG.md
+++ b/doc-src/HAML_CHANGELOG.md
@@ -17,6 +17,9 @@
   This allows it to work properly when Haml is a gem
   and the `rails_xss` plugin is being used.
 
+* Mark the return value of Haml templates as HTML safe.
+  This makes Haml partials work with Rails' XSS protection.
+
 ## [2.2.9](http://github.com/nex3/haml/commit/2.2.9)
 
 * Fixed a bug where Haml's text was concatenated to the wrong buffer
diff --git a/lib/haml/engine.rb b/lib/haml/engine.rb
index ed5a63a6..fc22bf07 100644
--- a/lib/haml/engine.rb
+++ b/lib/haml/engine.rb
@@ -175,7 +175,8 @@ module Haml
         @haml_buffer = buffer
       end
 
-      eval(precompiled, scope, @options[:filename], @options[:line])
+      eval(precompiled + "\n" + precompiled_method_return_value,
+        scope, @options[:filename], @options[:line])
 
       # Get rid of the current buffer
       scope_object.instance_eval do
diff --git a/lib/haml/precompiler.rb b/lib/haml/precompiler.rb
index 9e701ee4..2940fa57 100644
--- a/lib/haml/precompiler.rb
+++ b/lib/haml/precompiler.rb
@@ -99,11 +99,17 @@ __in_erb_template = true
 END
       postamble = <<END.gsub("\n", ";")
 @haml_buffer = @haml_buffer.upper
-_erbout
+#{precompiled_method_return_value}
 END
       preamble + locals_code(local_names) + precompiled + postamble
     end
 
+    # Returns the string used as the return value of the precompiled method.
+    # This method exists so it can be monkeypatched to return modified values.
+    def precompiled_method_return_value
+      "_erbout"
+    end
+
     def locals_code(names)
       names = names.keys if Hash == names
 
diff --git a/lib/haml/template.rb b/lib/haml/template.rb
index abded6dc..2effee33 100644
--- a/lib/haml/template.rb
+++ b/lib/haml/template.rb
@@ -26,6 +26,14 @@ module Haml
       require 'haml/helpers/xss_mods'
       Haml::Helpers.send(:include, Haml::Helpers::XssMods)
 
+      Haml::Precompiler.module_eval do
+        def precompiled_method_return_value_with_haml_xss
+          "(#{precompiled_method_return_value_without_haml_xss}).html_safe!"
+        end
+        alias_method :precompiled_method_return_value_without_haml_xss, :precompiled_method_return_value
+        alias_method :precompiled_method_return_value, :precompiled_method_return_value_with_haml_xss
+      end
+
       true
     end
   end
diff --git a/test/haml/template_test.rb b/test/haml/template_test.rb
index db89bd96..17002e0e 100644
--- a/test/haml/template_test.rb
+++ b/test/haml/template_test.rb
@@ -241,6 +241,9 @@ END
 
   ## XSS Protection Tests
 
+  # In order to enable these, either test against Rails 3.0
+  # or test against Rails 2.2.5+ with the rails_xss plugin
+  # (http://github.com/NZKoz/rails_xss) in test/plugins.
   if Haml::Util.rails_xss_safe?
     def test_escape_html_option_set
       assert Haml::Template.options[:escape_html]
@@ -273,5 +276,13 @@ END
     def test_xss_protection_with_mixed_strings_in_interpolation
       assert_equal("Foo & Bar &amp; Baz\n", render('Foo #{"&".html_safe!} Bar #{"&"} Baz', :action_view))
     end
+
+    def test_rendered_string_is_html_safe
+      assert(render("Foo").html_safe?)
+    end
+
+    def test_rendered_string_is_html_safe_with_action_view
+      assert(render("Foo", :action_view).html_safe?)
+    end
   end
 end