haml-4.0.2/lib/haml/template.rb を参考にした。環境は下記の通り。
- ruby 2.0.0-p0
- haml 4.0.2
- activesupport 3.2.13
必要なのは...
-
active_support/core_ext/string/output_safetyでString#html_safeなど追加 -
Haml::Util#rails_xss_safe?がtrueを返す様にする -
Haml::HelpersにHaml::Helpers::XssModsをinclude -
Haml::Engineのコンストラクタでescape_html: true指定
require "active_support/core_ext/string/output_safety"
require "haml"
require "haml/helpers/xss_mods"
Haml::Util.class_eval do
def rails_xss_safe?
true
end
end
Haml::Helpers.class_eval do
include Haml::Helpers::XssMods
end
haml = <<-HAML
= "<script>alert('1');</script>"
= "<script>alert('1');</script>".html_safe
HAML
puts Haml::Engine.new(haml, escape_html: true).render
<script>alert(1);</script>
<script>alert(1);</script>