[Haml] Fix the nasty potential XSS issue that Rails fixed a bit ago.

doc-src/HAML_CHANGELOG.md

@@ -3,6 +3,11 @@
 * Table of contents
 {:toc}
 
+## 2.2.8 (Unreleased)
+
+* Fixed a potential XSS issue with HTML escaping and wacky Unicode nonsense.
+  This is the same as [the issue fixed in Rails](http://groups.google.com/group/rubyonrails-security/browse_thread/thread/48ab3f4a2c16190f) a bit ago.
+
 ## [2.2.7](http://github.com/nex3/haml/commit/2.2.7)
 
 * Fixed an `html2haml` issue where ERB attribute values

lib/haml/helpers.rb

@@ -473,7 +473,7 @@ END
     # @param text [String] The string to sanitize
     # @return [String] The sanitized string
     def html_escape(text)
-      text.to_s.gsub(/[\"><&]/) { |s| HTML_ESCAPE[s] }
+      text.to_s.gsub(/[\"><&]/n) {|s| HTML_ESCAPE[s]}
     end
 
     # Escapes HTML entities in `text`, but without escaping an ampersand
@@ -482,7 +482,7 @@ END
     # @param text [String] The string to sanitize
     # @return [String] The sanitized string
     def escape_once(text)
-      text.to_s.gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |s| HTML_ESCAPE[s] }
+      text.to_s.gsub(/[\"><]|&(?!(?:[a-zA-Z]+|(#\d+));)/n) {|s| HTML_ESCAPE[s]}
     end
 
     # Returns whether or not the current template is a Haml template.