class Sqreen::Rules::Haml4UtilInterpolationHookCB

Public Class Methods

new(*args) click to toggle source
Calls superclass method Sqreen::Rules::RuleCB::new
# File lib/sqreen/rules/xss_cb.rb, line 161
def initialize(*args)
  super(*args)
  @overtimeable = false
end

Public Instance Methods

pre(_inst, args, _budget = nil, &_block) click to toggle source
# File lib/sqreen/rules/xss_cb.rb, line 166
def pre(_inst, args, _budget = nil, &_block)
  # Also work in haml5
  str = args[0]
  escape_html = args[1]
  # Original code from HAML tuned up to insert escape_haml call
  res = ''
  rest = Haml::Util.handle_interpolation str.dump do |scan|
    escapes = (scan[2].size - 1) / 2
    res << scan.matched[0...-3 - escapes]
    if escapes.odd?
      res << '#{'
    else
      # Use eval to get rid of string escapes
      # TODO: look for eval removal
      content = eval('"' + Haml::Util.balance(scan, '{', '}', 1)[0][0...-1] + '"') # rubocop:disable Security/Eval
      content = "Haml::Helpers.html_escape((#{content}))" if escape_html
      res << '#{Sqreen.escape_haml((' + content + '))}'
    end
  end
  { :status => :skip, :new_return_value => res + rest }
end