Escape attribute values even if it's html_safe

Close #48 .
eagletmt · Feb 27, 2016 · fdf4da6 · fdf4da6
1 parent 934372b
commit fdf4da6
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 1 deletion.
diff --git a/lib/faml/html.rb b/lib/faml/html.rb
@@ -33,7 +33,7 @@ def on_haml_attr(name, value)
           ['false, nil', [:multi]],
           [:else, [:multi,
                    [:static, " #{name}=#{options[:attr_quote]}"],
-                   [:escape, true, [:dynamic, sym]],
+                   [:dynamic, "::Temple::Utils.escape_html(#{sym})"],
                    [:static, options[:attr_quote]],
                   ]],
          ],

diff --git a/spec/rails/app/views/books/html_safe_attribute.html.haml b/spec/rails/app/views/books/html_safe_attribute.html.haml
@@ -0,0 +1,2 @@
+- html = %q{<b>"don't skip escape"</b>}.html_safe
+%span{'data-html' => html}
diff --git a/spec/rails/config/routes.rb b/spec/rails/config/routes.rb
@@ -6,6 +6,7 @@
     get :with_capture
     get :escaped
     get :preserve
+    get :html_safe_attribute
 
     get :syntax_error
     get :indent_error

diff --git a/spec/rails/spec/requests/faml_spec.rb b/spec/rails/spec/requests/faml_spec.rb
@@ -46,6 +46,13 @@
     expect(response.body).to include('&lt;marquee&gt;escape me&lt;/marquee&gt;')
   end
 
+  it 'escapes html_safe string in attribute values' do
+    get '/books/html_safe_attribute'
+    expect(response).to be_ok
+    html = Nokogiri::HTML.parse(response.body)
+    expect(html.at_css('span')['data-html']).to eq(%q{<b>"don't skip escape"</b>})
+  end
+
   describe 'object reference' do
     it 'works with new object' do
       get '/books/object_ref'
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		- html = %q{<b>"don't skip escape"</b>}.html_safe
		%span{'data-html' => html}