[Haml] Fix an XSS-escaping bug with HTML escaping and non-strings.

doc-src/HAML_CHANGELOG.md

@@ -3,6 +3,12 @@
 * Table of contents
 {:toc}
 
+## 2.2.11 (Unreleased)
+
+* Fixed a bug with XSS protection where HTML escaping would raise an error
+  if passed a non-string value.
+  Note that this doesn't affect any HTML escaping when XSS protection is disabled.
+
 ## [2.2.10](http://github.com/nex3/haml/commit/2.2.10)
 
 * Fixed a bug where elements with dynamic attributes and no content

lib/haml/helpers/xss_mods.rb

@@ -17,8 +17,9 @@ module Haml
       # Don't escape text that's already safe,
       # output is always HTML safe
       def html_escape_with_haml_xss(text)
-        return text if text.html_safe?
+        str = text.to_s
-        html_escape_without_haml_xss(text).html_safe!
+        return text if str.html_safe?
+        html_escape_without_haml_xss(str).html_safe!
       end
 
       # Output is always HTML safe

test/haml/template_test.rb

@@ -284,5 +284,9 @@ END
     def test_rendered_string_is_html_safe_with_action_view
       assert(render("Foo", :action_view).html_safe?)
     end
+
+    def test_xss_html_escaping_with_non_strings
+      assert_equal("4\n", render("= html_escape(4)"))
+    end
   end
 end