Haml v2.2.9 Release Notes

  • Tagged on GitHub.

    • ๐Ÿ›  Fixed a bug where Haml's text was concatenated to the wrong buffer under certain circumstances. This was mostly an issue under Rails when using methods like capture.

    • ๐Ÿ›  Fixed a bug where template text was escaped when there was interpolation in a line and the :escape_html option was enabled. For example:

      Foo < Bar #{"<"} Baz

    with :escape_html used to render as

      Foo &amp;lt; Bar &lt; Baz
    

    but now renders as

      Foo &lt; Bar &lt; Baz
    

    ๐Ÿš… Rails XSS Protection

    ๐Ÿš… Haml 2.2.9 supports the XSS protection in Rails versions 2.3.5+. There are several components to this:

    • If XSS protection is enabled, Haml's {file:HAML_REFERENCE.md#escape_html-option :escape_html} option is set to true by default.

    • Strings declared as HTML safe won't be escaped by Haml, including the {file:Haml/Helpers.html#html_escape-instance_method #html_escape} helper and &= if :escape_html has been disabled.

    • Haml helpers that generate HTML are marked as HTML safe, and will escape their input if it's not HTML safe.