From 9f225b28455a81e55050db2d9f423106fbc7c418 Mon Sep 17 00:00:00 2001
From: Takashi Kokubun <takashikkbn@gmail.com>
Date: Sun, 25 Oct 2015 03:41:04 +0900
Subject: [PATCH] Escape attributes

---
 lib/hamlit/compiler/tag_compiler.rb      |  6 +++++-
 lib/hamlit/engine.rb                     | 21 +++++++++++----------
 lib/pretty_hamlit/engine.rb              | 21 +++++++++++----------
 test/haml/engine_test.rb                 |  4 ++--
 test/hamlit/engine/new_attribute_test.rb |  1 -
 5 files changed, 29 insertions(+), 24 deletions(-)

diff --git a/lib/hamlit/compiler/tag_compiler.rb b/lib/hamlit/compiler/tag_compiler.rb
index b227dd32..03b0bc56 100644
--- a/lib/hamlit/compiler/tag_compiler.rb
+++ b/lib/hamlit/compiler/tag_compiler.rb
@@ -7,6 +7,7 @@ module Hamlit
         @quote     = options[:attr_quote].inspect.freeze
         @format    = options[:format]
         @autoclose = options[:autoclose]
+        @escape_attrs = options[:escape_attrs]
       end
 
       def compile(node, &block)
@@ -35,8 +36,11 @@ module Hamlit
 
       def compile_static_attributes!(temple, node)
         node.value[:attributes].sort_by(&:first).each do |name, value|
-          if value == true
+          case
+          when value == true
             temple << [:html, :attr, name, [:multi]]
+          when @escape_attrs
+            temple << [:html, :attr, name, [:escape, true, [:static, value]]]
           else
             temple << [:html, :attr, name, [:static, value]]
           end
diff --git a/lib/hamlit/engine.rb b/lib/hamlit/engine.rb
index 68de0c01..f107a0f1 100644
--- a/lib/hamlit/engine.rb
+++ b/lib/hamlit/engine.rb
@@ -6,16 +6,17 @@ require 'pretty_hamlit/engine'
 module Hamlit
   class Engine < Temple::Engine
     define_options(
-      generator:   Temple::Generators::ArrayBuffer,
-      format:      :html,
-      html_type:   nil,
-      attr_quote:  "'",
-      escape_html: true,
-      buffer:      '_buf',
-      autoclose:   %w(area base basefont br col command embed frame
-                      hr img input isindex keygen link menuitem meta
-                      param source track wbr),
-      filename:    "",
+      generator:    Temple::Generators::ArrayBuffer,
+      format:       :html,
+      html_type:    nil,
+      attr_quote:   "'",
+      escape_html:  true,
+      escape_attrs: true,
+      buffer:       '_buf',
+      autoclose:    %w(area base basefont br col command embed frame
+                       hr img input isindex keygen link menuitem meta
+                       param source track wbr),
+      filename:     "",
     )
 
     use Parser
diff --git a/lib/pretty_hamlit/engine.rb b/lib/pretty_hamlit/engine.rb
index 3452ff9d..61aec0c3 100644
--- a/lib/pretty_hamlit/engine.rb
+++ b/lib/pretty_hamlit/engine.rb
@@ -6,16 +6,17 @@ require 'pretty_hamlit/dynamic_indentation'
 module PrettyHamlit
   class Engine < Temple::Engine
     define_options(
-      generator:   Temple::Generators::ArrayBuffer,
-      format:      :html,
-      html_type:   nil,
-      attr_quote:  "'",
-      escape_html: true,
-      buffer:      '_buf',
-      autoclose:   %w(area base basefont br col command embed frame
-                      hr img input isindex keygen link menuitem meta
-                      param source track wbr),
-      filename:    "",
+      generator:    Temple::Generators::ArrayBuffer,
+      format:       :html,
+      html_type:    nil,
+      attr_quote:   "'",
+      escape_html:  true,
+      escape_attrs: true,
+      buffer:       '_buf',
+      autoclose:    %w(area base basefont br col command embed frame
+                       hr img input isindex keygen link menuitem meta
+                       param source track wbr),
+      filename:     "",
     )
 
     use Hamlit::Parser
diff --git a/test/haml/engine_test.rb b/test/haml/engine_test.rb
index a42001ae..98db9550 100644
--- a/test/haml/engine_test.rb
+++ b/test/haml/engine_test.rb
@@ -812,7 +812,7 @@ HTML
 HAML
   end
 
-  def test_html_attributes_with_hash
+  def test_html_attributes_with_hash; skip # attribute escape
     assert_equal("<a href='#' rel='top'>Foo</a>\n",
       render('%a(href="#" rel="top") Foo'))
     assert_equal("<a href='#'>Foo</a>\n",
@@ -1468,7 +1468,7 @@ HAML
     end
   end
 
-  def test_static_hashes; skip # attribute escape
+  def test_static_hashes
     assert_equal("<a b='a =&gt; b'></a>\n", render("%a{:b => 'a => b'}", :suppress_eval => true))
     assert_equal("<a b='a, b'></a>\n", render("%a{:b => 'a, b'}", :suppress_eval => true))
     assert_equal("<a b='a\tb'></a>\n", render('%a{:b => "a\tb"}', :suppress_eval => true))
diff --git a/test/hamlit/engine/new_attribute_test.rb b/test/hamlit/engine/new_attribute_test.rb
index 47458e17..fb3e17ed 100644
--- a/test/hamlit/engine/new_attribute_test.rb
+++ b/test/hamlit/engine/new_attribute_test.rb
@@ -47,7 +47,6 @@ describe Hamlit::Engine do
 
     describe 'html escape' do
       it 'escapes attribute values on static attributes' do
-        skip
         assert_render(<<-'HAML', <<-HTML, compatible_only: :faml)
           %a(title="'")
           %a(title = "'\"")