Haml v2.2.9 Release Notes
-
🛠 Fixed a bug where Haml's text was concatenated to the wrong buffer under certain circumstances. This was mostly an issue under Rails when using methods like
capture
.🛠 Fixed a bug where template text was escaped when there was interpolation in a line and the
:escape_html
option was enabled. For example:Foo < Bar #{"<"} Baz
with
:escape_html
used to render asFoo &lt; Bar < Baz
but now renders as
Foo < Bar < Baz
🚅 Rails XSS Protection
🚅 Haml 2.2.9 supports the XSS protection in Rails versions 2.3.5+. There are several components to this:
If XSS protection is enabled, Haml's {file:HAML_REFERENCE.md#escape_html-option
:escape_html
} option is set totrue
by default.Strings declared as HTML safe won't be escaped by Haml, including the {file:Haml/Helpers.html#html_escape-instance_method
#html_escape
} helper and&=
if:escape_html
has been disabled.Haml helpers that generate HTML are marked as HTML safe, and will escape their input if it's not HTML safe.