Add support for Rails 7.1 and HAML 6

.github/workflows/test.yml

@@ -15,7 +15,7 @@ jobs:
  matrix:
  include:
  - ruby: 2.5.9
- gemfile: Gemfile.rails-3.2
+ gemfile: Gemfile.rails-3.2.haml-4
  - ruby: 2.5.9
  gemfile: Gemfile.rails-4.2.haml-4
  - ruby: 2.5.9
@@ -42,6 +42,10 @@ jobs:
  gemfile: Gemfile.rails-6.1.haml-5
  - ruby: 3.2.3
  gemfile: Gemfile.rails-7.0.haml-5
+ - ruby: 3.2.3
+ gemfile: Gemfile.rails-7.1.haml-5
+ - ruby: 3.2.3
+ gemfile: Gemfile.rails-7.1.haml-6
  env:
  BUNDLE_GEMFILE: "${{ matrix.gemfile }}"
  steps:

CHANGELOG.md

@@ -6,6 +6,14 @@ This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html
 ## Unreleased
 
 ### Compatible changes
+* Add compatibility with Rails 7.1
+* Add compatibility with HAML 6
+ * NOTE: Don't use HAML 6.0.0. AngularXSS relies on a patch [introduced in 6.0.1](https://github.com/haml/haml/blob/main/CHANGELOG.md#601). Anything newer should be fine - the gem is currently tested against HAML 6.3
+* Refactor our patches to use `Module#prepend` instead of `Module#module_eval`
+* Refactor gem version comparisons to use `Gem::Version` instances
+* Refactor specs to use the `expect` syntax
+* Add missing unit tests for patched methods
+* Improve test coverage for more interpolation scenarios in ERB and HAML
 
 ### Breaking changes
 

Gemfile.rails-5.1.haml-5.lock

@@ -54,7 +54,7 @@ GEM
  nokogiri (>= 1.6)
  rails-html-sanitizer (1.0.3)
  loofah (~> 2.0)
- rake (12.3.0)
+ rake (13.2.1)
  rspec (3.10.0)
  rspec-core (~> 3.10.0)
  rspec-expectations (~> 3.10.0)

Gemfile.rails-7.1.haml-5

@@ -0,0 +1,9 @@
+source 'http://rubygems.org'
+
+gem 'actionpack', '~>7.1'
+gem 'rspec'
+gem 'haml', '~> 5'
+gem 'angular_xss', :path => '.'
+gem 'gemika', '>= 0.8.3'
+gem 'rake'
+gem 'byebug'

Gemfile.rails-7.1.haml-5.lock

@@ -0,0 +1,105 @@
+PATH
+ remote: .
+ specs:
+ angular_xss (0.4.1)
+ activesupport
+ haml (>= 3.1.5)
+
+GEM
+ remote: http://rubygems.org/
+ specs:
+ actionpack (7.1.3.4)
+ actionview (= 7.1.3.4)
+ activesupport (= 7.1.3.4)
+ nokogiri (>= 1.8.5)
+ racc
+ rack (>= 2.2.4)
+ rack-session (>= 1.0.1)
+ rack-test (>= 0.6.3)
+ rails-dom-testing (~> 2.2)
+ rails-html-sanitizer (~> 1.6)
+ actionview (7.1.3.4)
+ activesupport (= 7.1.3.4)
+ builder (~> 3.1)
+ erubi (~> 1.11)
+ rails-dom-testing (~> 2.2)
+ rails-html-sanitizer (~> 1.6)
+ activesupport (7.1.3.4)
+ base64
+ bigdecimal
+ concurrent-ruby (~> 1.0, >= 1.0.2)
+ connection_pool (>= 2.2.5)
+ drb
+ i18n (>= 1.6, < 2)
+ minitest (>= 5.1)
+ mutex_m
+ tzinfo (~> 2.0)
+ base64 (0.2.0)
+ bigdecimal (3.1.8)
+ builder (3.3.0)
+ byebug (11.1.3)
+ concurrent-ruby (1.3.3)
+ connection_pool (2.4.1)
+ crass (1.0.6)
+ diff-lcs (1.5.1)
+ drb (2.2.1)
+ erubi (1.13.0)
+ gemika (0.8.3)
+ haml (5.2.2)
+ temple (>= 0.8.0)
+ tilt
+ i18n (1.14.5)
+ concurrent-ruby (~> 1.0)
+ loofah (2.22.0)
+ crass (~> 1.0.2)
+ nokogiri (>= 1.12.0)
+ minitest (5.23.1)
+ mutex_m (0.2.0)
+ nokogiri (1.16.6-x86_64-linux)
+ racc (~> 1.4)
+ racc (1.8.0)
+ rack (3.1.3)
+ rack-session (2.0.0)
+ rack (>= 3.0.0)
+ rack-test (2.1.0)
+ rack (>= 1.3)
+ rails-dom-testing (2.2.0)
+ activesupport (>= 5.0.0)
+ minitest
+ nokogiri (>= 1.6)
+ rails-html-sanitizer (1.6.0)
+ loofah (~> 2.21)
+ nokogiri (~> 1.14)
+ rake (13.2.1)
+ rspec (3.13.0)
+ rspec-core (~> 3.13.0)
+ rspec-expectations (~> 3.13.0)
+ rspec-mocks (~> 3.13.0)
+ rspec-core (3.13.0)
+ rspec-support (~> 3.13.0)
+ rspec-expectations (3.13.1)
+ diff-lcs (>= 1.2.0, < 2.0)
+ rspec-support (~> 3.13.0)
+ rspec-mocks (3.13.1)
+ diff-lcs (>= 1.2.0, < 2.0)
+ rspec-support (~> 3.13.0)
+ rspec-support (3.13.1)
+ temple (0.10.3)
+ tilt (2.3.0)
+ tzinfo (2.0.6)
+ concurrent-ruby (~> 1.0)
+
+PLATFORMS
+ x86_64-linux
+
+DEPENDENCIES
+ actionpack (~> 7.1)
+ angular_xss!
+ byebug
+ gemika (>= 0.8.3)
+ haml (~> 5)
+ rake
+ rspec
+
+BUNDLED WITH
+ 2.5.13

Gemfile.rails-7.1.haml-6

@@ -0,0 +1,9 @@
+source 'http://rubygems.org'
+
+gem 'actionpack', '~>7.1'
+gem 'rspec'
+gem 'haml', '~> 6'
+gem 'angular_xss', :path => '.'
+gem 'gemika', '>= 0.8.3'
+gem 'rake'
+gem 'byebug'

Gemfile.rails-7.1.haml-6.lock

@@ -0,0 +1,122 @@
+PATH
+ remote: .
+ specs:
+ angular_xss (0.4.1)
+ activesupport
+ haml (>= 3.1.5)
+
+GEM
+ remote: http://rubygems.org/
+ specs:
+ actionpack (7.1.3.4)
+ actionview (= 7.1.3.4)
+ activesupport (= 7.1.3.4)
+ nokogiri (>= 1.8.5)
+ racc
+ rack (>= 2.2.4)
+ rack-session (>= 1.0.1)
+ rack-test (>= 0.6.3)
+ rails-dom-testing (~> 2.2)
+ rails-html-sanitizer (~> 1.6)
+ actionview (7.1.3.4)
+ activesupport (= 7.1.3.4)
+ builder (~> 3.1)
+ erubi (~> 1.11)
+ rails-dom-testing (~> 2.2)
+ rails-html-sanitizer (~> 1.6)
+ activesupport (7.1.3.4)
+ base64
+ bigdecimal
+ concurrent-ruby (~> 1.0, >= 1.0.2)
+ connection_pool (>= 2.2.5)
+ drb
+ i18n (>= 1.6, < 2)
+ minitest (>= 5.1)
+ mutex_m
+ tzinfo (~> 2.0)
+ base64 (0.2.0)
+ bigdecimal (3.1.8)
+ builder (3.3.0)
+ byebug (11.1.3)
+ concurrent-ruby (1.3.3)
+ connection_pool (2.4.1)
+ crass (1.0.6)
+ diff-lcs (1.5.1)
+ drb (2.2.1)
+ erubi (1.13.0)
+ gemika (0.8.3)
+ haml (6.3.0)
+ temple (>= 0.8.2)
+ thor
+ tilt
+ i18n (1.14.5)
+ concurrent-ruby (~> 1.0)
+ loofah (2.22.0)
+ crass (~> 1.0.2)
+ nokogiri (>= 1.12.0)
+ minitest (5.24.0)
+ mutex_m (0.2.0)
+ nokogiri (1.16.6-aarch64-linux)
+ racc (~> 1.4)
+ nokogiri (1.16.6-arm-linux)
+ racc (~> 1.4)
+ nokogiri (1.16.6-arm64-darwin)
+ racc (~> 1.4)
+ nokogiri (1.16.6-x86-linux)
+ racc (~> 1.4)
+ nokogiri (1.16.6-x86_64-darwin)
+ racc (~> 1.4)
+ nokogiri (1.16.6-x86_64-linux)
+ racc (~> 1.4)
+ racc (1.8.0)
+ rack (3.1.3)
+ rack-session (2.0.0)
+ rack (>= 3.0.0)
+ rack-test (2.1.0)
+ rack (>= 1.3)
+ rails-dom-testing (2.2.0)
+ activesupport (>= 5.0.0)
+ minitest
+ nokogiri (>= 1.6)
+ rails-html-sanitizer (1.6.0)
+ loofah (~> 2.21)
+ nokogiri (~> 1.14)
+ rake (13.2.1)
+ rspec (3.13.0)
+ rspec-core (~> 3.13.0)
+ rspec-expectations (~> 3.13.0)
+ rspec-mocks (~> 3.13.0)
+ rspec-core (3.13.0)
+ rspec-support (~> 3.13.0)
+ rspec-expectations (3.13.1)
+ diff-lcs (>= 1.2.0, < 2.0)
+ rspec-support (~> 3.13.0)
+ rspec-mocks (3.13.1)
+ diff-lcs (>= 1.2.0, < 2.0)
+ rspec-support (~> 3.13.0)
+ rspec-support (3.13.1)
+ temple (0.10.3)
+ thor (1.3.1)
+ tilt (2.3.0)
+ tzinfo (2.0.6)
+ concurrent-ruby (~> 1.0)
+
+PLATFORMS
+ aarch64-linux
+ arm-linux
+ arm64-darwin
+ x86-linux
+ x86_64-darwin
+ x86_64-linux
+
+DEPENDENCIES
+ actionpack (~> 7.1)
+ angular_xss!
+ byebug
+ gemika (>= 0.8.3)
+ haml (~> 6)
+ rake
+ rspec
+
+BUNDLED WITH
+ 2.5.13

README.md

@@ -56,11 +56,13 @@ Development
 -----------
 
 - Fork the repository.
-- Push your changes with specs. There is a Rails 3 test application in `spec/app_root` if you need to test integration with a live Rails app.
-- You may run single tests with a specified Rails version via `BUNDLE_GEMFILE=Gemfile.rails-7.0.haml-5 bundle exec rspec ./spec/angular_xss`
+- Prepare your changes, and ensure existing and new test are green:
+ - `bundle exec rake matrix:install` installs all dependencies for all Gemfiles
+ - `bundle exec rake matrix:spec` runs all specs in all configurations
+ - You may run single tests with a specified Rails version via `BUNDLE_GEMFILE=Gemfile.rails-7.0.haml-5 bundle exec rspec ./spec/angular_xss`
+- Push your changes with specs. There is a test application in `spec/app_root` if you need to test integration with a live Rails app.
 - Send a pull request.
 
-
 Credits
 -------
 

lib/angular_xss.rb

@@ -1,6 +1,7 @@
 #"string".respond_to?(:html_safe?) or raise "No rails_xss implementation present"
 
 require 'angular_xss/escaper'
+require 'angular_xss/output_buffer'
 require 'angular_xss/safe_buffer'
 require 'angular_xss/erb'
 require 'angular_xss/haml'

lib/angular_xss/erb.rb

@@ -1,33 +1,25 @@
-# Use module_eval so we crash when ERB::Util has not yet been loaded.
-ERB::Util.module_eval do
-
- if private_method_defined? :unwrapped_html_escape # Rails 4.2+
-
- def unwrapped_html_escape_with_escaping_angular_expressions(s)
- s = s.to_s
- if s.html_safe?
- s
- else
- unwrapped_html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape(s))
- end
+if ERB::Util.private_method_defined? :unwrapped_html_escape
+ # Rails 4.2+
+ # https://github.com/rails/rails/blob/main/activesupport/lib/active_support/core_ext/erb/util.rb
+ module ERBUtilExt
+ def html_escape_once(s)
+ super(AngularXss::Escaper.escape_if_unsafe(s))
  end
 
- alias_method :unwrapped_html_escape_without_escaping_angular_expressions, :unwrapped_html_escape
- alias_method :unwrapped_html_escape, :unwrapped_html_escape_with_escaping_angular_expressions
-
- singleton_class.send(:remove_method, :unwrapped_html_escape)
- module_function :unwrapped_html_escape
- module_function :unwrapped_html_escape_without_escaping_angular_expressions
+ def unwrapped_html_escape(s)
+ super(AngularXss::Escaper.escape_if_unsafe(s))
+ end
+ # Note that html_escape() and h() are passively fixed as they are calling the two methods above
+ end
+ ERB::Util.prepend ERBUtilExt
+ ERB::Util.singleton_class.prepend ERBUtilExt
 
- else # Rails < 4.2
+else
+ ERB::Util.module_eval do
+ # Rails < 4.2
 
  def html_escape_with_escaping_angular_expressions(s)
- s = s.to_s
- if s.html_safe?
- s
- else
- html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape(s))
- end
+ html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape_if_unsafe(s))
  end
 
  alias_method_chain :html_escape, :escaping_angular_expressions
@@ -41,7 +33,5 @@ def html_escape_with_escaping_angular_expressions(s)
  singleton_class.send(:remove_method, :html_escape)
  module_function :html_escape
  module_function :html_escape_without_escaping_angular_expressions
-
  end
-
 end

lib/angular_xss/escaper.rb

@@ -27,6 +27,14 @@ def self.escape(string)
  end
  end
 
+ def self.escape_if_unsafe(string)
+ if string.nil? || string.to_s.html_safe?
+ string
+ else
+ escape(string.to_s)
+ end
+ end
+
  def self.disabled?
  !!Thread.current[XSS_DISABLED_KEY]
  end