Attribute escaping respects html_safe.

It's sometimes the case where we don't want attributes to be
html_escaped... for instance `%input{ placeholder: 'Filter…' }`.

This commit changes the attribute escaping to respect the rails
`html_safe` flag and not escape attributes when `.html_safe` is
explicitly called on them.

Closes #470

doc-src/HAML_CHANGELOG.md

@@ -3,6 +3,11 @@
 * Table of contents
 {:toc}
 
+## 3.1.5 (Unreleased)
+
+* Respect Rails' `html_safe` flag when escaping attribute values
+  (thanks to [Gerad Suyderhoud](https://github.com/gerad)).
+
 ## 3.1.4
 
 * Fix the use of `FormBuilder#block` with a label in Haml.

lib/haml/compiler.rb

@@ -372,7 +372,7 @@ END
           if escape_attrs == :once
             Haml::Helpers.escape_once(value.to_s)
           elsif escape_attrs
-            CGI.escapeHTML(value.to_s)
+            Haml::Helpers.html_escape(value.to_s)
           else
             value.to_s
           end

test/haml/template_test.rb

@@ -339,6 +339,14 @@ HAML
       assert_equal("Foo & Bar\n", render('Foo #{"&"} Bar', :action_view))
     end
 
+    def test_xss_protection_in_attributes
+      assert_equal("<div data-html='&lt;foo&gt;bar&lt;/foo&gt;'></div>\n", render('%div{ "data-html" => "<foo>bar</foo>" }', :action_view))
+    end
+
+    def test_xss_protection_in_attributes_with_safe_strings
+      assert_equal("<div data-html='<foo>bar</foo>'></div>\n", render('%div{ "data-html" => "<foo>bar</foo>".html_safe }', :action_view))
+    end
+
     def test_xss_protection_with_bang_in_interpolation
       assert_equal("Foo & Bar\n", render('! Foo #{"&"} Bar', :action_view))
     end