class Sqreen::Rules::Haml4UtilInterpolationHookCB
Public Class Methods
new(*args)
click to toggle source
Calls superclass method
Sqreen::Rules::RuleCB::new
# File lib/sqreen/rules/xss_cb.rb, line 161 def initialize(*args) super(*args) @overtimeable = false end
Public Instance Methods
pre(_inst, args, _budget = nil, &_block)
click to toggle source
# File lib/sqreen/rules/xss_cb.rb, line 166 def pre(_inst, args, _budget = nil, &_block) # Also work in haml5 str = args[0] escape_html = args[1] # Original code from HAML tuned up to insert escape_haml call res = '' rest = Haml::Util.handle_interpolation str.dump do |scan| escapes = (scan[2].size - 1) / 2 res << scan.matched[0...-3 - escapes] if escapes.odd? res << '#{' else # Use eval to get rid of string escapes # TODO: look for eval removal content = eval('"' + Haml::Util.balance(scan, '{', '}', 1)[0][0...-1] + '"') # rubocop:disable Security/Eval content = "Haml::Helpers.html_escape((#{content}))" if escape_html res << '#{Sqreen.escape_haml((' + content + '))}' end end { :status => :skip, :new_return_value => res + rest } end