Haml: HTML-Escaping Without Rails

Created on 4 Apr 2017  ·  3Comments  ·  Source: haml/haml

I'm using HAML without rails. eg:

::Haml::Engine.new(my_haml_source).render

I can't get the escaping working properly. This section from the docs seems to describe the behaviour that I want:

Haml supports Rails’ XSS protection scheme... all strings
printed to a Haml template are escaped by default. Also like ERB, strings
marked as HTML safe are not escaped. Haml also has its own syntax for printing
a raw string to the template.

In particular, I expect lines like this in my haml-source to be properly escaped

%h1.title My title: #{"<img src='lol' onerror='window.alert(`hax`);' />"}

Just doing:

::Haml::Engine.new(haml_source, escape_html: true)
````
doesn't give me any joy. I tried monkey-patching
```ruby
Haml::Util.rails_xss_safe?

to return true (as the rails mods do), but that didn't help either.

Is there some secret switch that I'm missing?

picture djrodgerspryor
👎2

All 3 comments

Please provide Haml version you use and precise expected behavior for your input template. I think it's working perfectly.

$ haml -v
Haml 4.0.7
$ cat in.haml
%h1.title My title: #{"<img src='lol' onerror='window.alert(`hax`);' />"}
$ haml -e in.haml
<h1 class='title'>My title: &lt;img src='lol' onerror='window.alert(`hax`);' /&gt;</h1>
$ irb
irb(main):001:0> require 'haml'
=> true
irb(main):002:0> Haml::Engine.new(File.read("in.haml"), escape_html: true).render
=> "<h1 class='title'>My title: &lt;img src='lol' onerror='window.alert(`hax`);' /&gt;</h1>\n"
k0kubun picture k0kubun on 4 Apr 2017
👍1

It's not reproductive in the latest Haml too. Reproductive repository or the combination of Gemfile, Gemfile.lock and script should be provided to solve your issue.

$ gem install haml -v 5.0.0.beta.2
Fetching: haml-5.0.0.beta.2.gem (100%)
Successfully installed haml-5.0.0.beta.2
$ irb
irb(main):001:0> require 'haml'
=> true
irb(main):002:0> Haml::VERSION
=> "5.0.0.beta.2"
irb(main):003:0> Haml::Engine.new(File.read("in.haml"), escape_html: true).render
=> "<h1 class='title'>My title: &lt;img src=&#39;lol&#39; onerror=&#39;window.alert(`hax`);&#39; /&gt;</h1>\n"
k0kubun picture k0kubun on 4 Apr 2017
👍1

Yeah: it turns out that I was just a complete moron and I was editing the wrong file 🤦‍♂️. Thanks for your quick response and sorry for wasting your time.

djrodgerspryor picture djrodgerspryor on 4 Apr 2017
😄1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

modsognir picture modsognir  ·  6Comments
noise-machines picture noise-machines  ·  4Comments
kyletolle picture kyletolle  ·  6Comments
dewski picture dewski  ·  8Comments
atomAltera picture atomAltera  ·  7Comments