Sha256: 09fd8ff7809a0f3fa9e017cc789574e61d0c0f8872524ca2e544bc6df4b7a964
Contents?: true
Size: 1.62 KB
Versions: 1
Compression:
Stored size: 1.62 KB
Contents
-# HTML attributes and static string interpolation in Haml work in different ways:
-# 1. Under certain conditions, attributes are precompiled.
-# We never have to escape those because they can not contain user input.
-# 2. Whenever there is a Ruby call on attributes, Haml will have to evaluate
-# them at runtime. Since they can contain user input, XSS logic applies.
-# precompiled (static)
- if Gem::Version.new(Haml::VERSION) >= Gem::Version.new(6)
-# HAML 6 is smart enough to recognize static strings and will not
-# escape it - so neither do we
#{'{{safe}}'}
= "{{safe}}"
- else
#{'{{unsafe}}'}
= "{{unsafe}}"
{{safe}}
%div(foo='{{safe}}')
%div{:class => '{{safe}}', :id => '{{safe}}'}
-# Compiled at runtime:
- unsafe_evaluated_variable = '{{unsafe}}'
- safe_evaluated_variable = '{{safe}}'.html_safe
= unsafe_evaluated_variable
= safe_evaluated_variable
#{unsafe_evaluated_variable}
#{safe_evaluated_variable}
= ''.html_safe + unsafe_evaluated_variable
= ''.html_safe + safe_evaluated_variable
= ''.html_safe << unsafe_evaluated_variable
= ''.html_safe << safe_evaluated_variable
= content_tag(:span, unsafe_evaluated_variable)
= content_tag(:span, safe_evaluated_variable)
%div{:class => unsafe_evaluated_variable, :id => unsafe_evaluated_variable}
%div(bar="#{unsafe_evaluated_variable}")
%div{:foo => safe_evaluated_variable, :bar => unsafe_evaluated_variable}
{{safe}}
= '{{unsafe}}'
= '{{unsafe}}'
= '{{unsafe}}'
= '{{unsafe}}'
= '{{unsafe}}'
= '{{unsafe}}'
= '{{unsafe}}'
= '{{unsafe}}'
= '{{unsafe}}'
= '{{unsafe}}'
Version data entries
1 entries across 1 versions & 1 rubygems
| Version | Path |
|---|---|
| angular_xss-1.0.0 | spec/templates/_test_haml.haml |