Add compatibility for Rails 7.1 and HAML 6

.github/workflows/test.yml

@@ -15,7 +15,7 @@ jobs:
       matrix:
         include:
         - ruby: 2.5.9
-          gemfile: Gemfile.rails-3.2
+          gemfile: Gemfile.rails-3.2.haml-4
         - ruby: 2.5.9
           gemfile: Gemfile.rails-4.2.haml-4
         - ruby: 2.5.9
@@ -42,6 +42,10 @@ jobs:
           gemfile: Gemfile.rails-6.1.haml-5
         - ruby: 3.2.3
           gemfile: Gemfile.rails-7.0.haml-5
+        - ruby: 3.2.3
+          gemfile: Gemfile.rails-7.1.haml-5
+        - ruby: 3.2.3
+          gemfile: Gemfile.rails-7.1.haml-6
     env:
       BUNDLE_GEMFILE: "${{ matrix.gemfile }}"
     steps:

CHANGELOG.md

@@ -9,6 +9,19 @@ This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html
 
 ### Breaking changes
 
+## 1.0 2024-07-02
+
+### Compatible changes
+* Bump version to 1.0 as this gem is production-ready for 10 years
+* Declare the gem to be unmaintained
+* Add compatibility with Rails 7.1
+* Add compatibility with HAML 6
+  * NOTE: Don't use HAML 6.0.0. AngularXSS relies on a patch [introduced in 6.0.1](https://github.com/haml/haml/blob/main/CHANGELOG.md#601). Anything newer should be fine - the gem is currently tested against HAML 6.3
+* Refactor our patches to use `Module#prepend` instead of `Module#module_eval`
+* Refactor gem version comparisons to use `Gem::Version` instances
+* Refactor specs to use the `expect` syntax
+* Improve test coverage for more interpolation scenarios in ERB and HAML
+* Add unit tests for patched methods
 
 ## 0.4.1 2022-03-16
 

Gemfile.rails-5.1.haml-5.lock

@@ -54,7 +54,7 @@ GEM
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.0.3)
       loofah (~> 2.0)
-    rake (12.3.0)
+    rake (13.2.1)
     rspec (3.10.0)
       rspec-core (~> 3.10.0)
       rspec-expectations (~> 3.10.0)

Gemfile.rails-7.1.haml-5

@@ -0,0 +1,9 @@
+source 'http://rubygems.org'
+
+gem 'actionpack', '~>7.1'
+gem 'rspec'
+gem 'haml', '~> 5'
+gem 'angular_xss', :path => '.'
+gem 'gemika', '>= 0.8.3'
+gem 'rake'
+gem 'byebug'

Gemfile.rails-7.1.haml-5.lock

@@ -0,0 +1,105 @@
+PATH
+  remote: .
+  specs:
+    angular_xss (0.4.1)
+      activesupport
+      haml (>= 3.1.5)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actionpack (7.1.3.4)
+      actionview (= 7.1.3.4)
+      activesupport (= 7.1.3.4)
+      nokogiri (>= 1.8.5)
+      racc
+      rack (>= 2.2.4)
+      rack-session (>= 1.0.1)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    actionview (7.1.3.4)
+      activesupport (= 7.1.3.4)
+      builder (~> 3.1)
+      erubi (~> 1.11)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    activesupport (7.1.3.4)
+      base64
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      connection_pool (>= 2.2.5)
+      drb
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      mutex_m
+      tzinfo (~> 2.0)
+    base64 (0.2.0)
+    bigdecimal (3.1.8)
+    builder (3.3.0)
+    byebug (11.1.3)
+    concurrent-ruby (1.3.3)
+    connection_pool (2.4.1)
+    crass (1.0.6)
+    diff-lcs (1.5.1)
+    drb (2.2.1)
+    erubi (1.13.0)
+    gemika (0.8.3)
+    haml (5.2.2)
+      temple (>= 0.8.0)
+      tilt
+    i18n (1.14.5)
+      concurrent-ruby (~> 1.0)
+    loofah (2.22.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.12.0)
+    minitest (5.23.1)
+    mutex_m (0.2.0)
+    nokogiri (1.16.6-x86_64-linux)
+      racc (~> 1.4)
+    racc (1.8.0)
+    rack (3.1.3)
+    rack-session (2.0.0)
+      rack (>= 3.0.0)
+    rack-test (2.1.0)
+      rack (>= 1.3)
+    rails-dom-testing (2.2.0)
+      activesupport (>= 5.0.0)
+      minitest
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.6.0)
+      loofah (~> 2.21)
+      nokogiri (~> 1.14)
+    rake (13.2.1)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.0)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.1)
+    temple (0.10.3)
+    tilt (2.3.0)
+    tzinfo (2.0.6)
+      concurrent-ruby (~> 1.0)
+
+PLATFORMS
+  x86_64-linux
+
+DEPENDENCIES
+  actionpack (~> 7.1)
+  angular_xss!
+  byebug
+  gemika (>= 0.8.3)
+  haml (~> 5)
+  rake
+  rspec
+
+BUNDLED WITH
+   2.5.13

Gemfile.rails-7.1.haml-6

@@ -0,0 +1,9 @@
+source 'http://rubygems.org'
+
+gem 'actionpack', '~>7.1'
+gem 'rspec'
+gem 'haml', '~> 6'
+gem 'angular_xss', :path => '.'
+gem 'gemika', '>= 0.8.3'
+gem 'rake'
+gem 'byebug'

Gemfile.rails-7.1.haml-6.lock

@@ -0,0 +1,122 @@
+PATH
+  remote: .
+  specs:
+    angular_xss (0.4.1)
+      activesupport
+      haml (>= 3.1.5)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actionpack (7.1.3.4)
+      actionview (= 7.1.3.4)
+      activesupport (= 7.1.3.4)
+      nokogiri (>= 1.8.5)
+      racc
+      rack (>= 2.2.4)
+      rack-session (>= 1.0.1)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    actionview (7.1.3.4)
+      activesupport (= 7.1.3.4)
+      builder (~> 3.1)
+      erubi (~> 1.11)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    activesupport (7.1.3.4)
+      base64
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      connection_pool (>= 2.2.5)
+      drb
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      mutex_m
+      tzinfo (~> 2.0)
+    base64 (0.2.0)
+    bigdecimal (3.1.8)
+    builder (3.3.0)
+    byebug (11.1.3)
+    concurrent-ruby (1.3.3)
+    connection_pool (2.4.1)
+    crass (1.0.6)
+    diff-lcs (1.5.1)
+    drb (2.2.1)
+    erubi (1.13.0)
+    gemika (0.8.3)
+    haml (6.3.0)
+      temple (>= 0.8.2)
+      thor
+      tilt
+    i18n (1.14.5)
+      concurrent-ruby (~> 1.0)
+    loofah (2.22.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.12.0)
+    minitest (5.24.0)
+    mutex_m (0.2.0)
+    nokogiri (1.16.6-aarch64-linux)
+      racc (~> 1.4)
+    nokogiri (1.16.6-arm-linux)
+      racc (~> 1.4)
+    nokogiri (1.16.6-arm64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.16.6-x86-linux)
+      racc (~> 1.4)
+    nokogiri (1.16.6-x86_64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.16.6-x86_64-linux)
+      racc (~> 1.4)
+    racc (1.8.0)
+    rack (3.1.3)
+    rack-session (2.0.0)
+      rack (>= 3.0.0)
+    rack-test (2.1.0)
+      rack (>= 1.3)
+    rails-dom-testing (2.2.0)
+      activesupport (>= 5.0.0)
+      minitest
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.6.0)
+      loofah (~> 2.21)
+      nokogiri (~> 1.14)
+    rake (13.2.1)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.0)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.1)
+    temple (0.10.3)
+    thor (1.3.1)
+    tilt (2.3.0)
+    tzinfo (2.0.6)
+      concurrent-ruby (~> 1.0)
+
+PLATFORMS
+  aarch64-linux
+  arm-linux
+  arm64-darwin
+  x86-linux
+  x86_64-darwin
+  x86_64-linux
+
+DEPENDENCIES
+  actionpack (~> 7.1)
+  angular_xss!
+  byebug
+  gemika (>= 0.8.3)
+  haml (~> 6)
+  rake
+  rspec
+
+BUNDLED WITH
+   2.5.13

README.md

@@ -7,6 +7,12 @@ This gem patches ERB/rails_xss and Haml so Angular interpolation symbols are aut
 
 **This is an unsatisfactory hack.** A better solution is very much desired, but is not possible without some changes in AngularJS. See the [related AngularJS issue](https://github.com/angular/angular.js/issues/5601).
 
+🚧 Notice: unmaintained gem
+------------------
+
+We are no longer actively maintaining this gem.
+
+The `1.0` release added support for HAML 6 and Rails 7.1, so the gem will at least support Rails 3.2 - 7.1 and HAML 4 - 6. `angular_xss` might still work for future versions HAML and Rails, but we won't actively ensure it does.
 
 Disable escaping locally
 ------------------------
@@ -56,11 +62,13 @@ Development
 -----------
 
 - Fork the repository.
-- Push your changes with specs. There is a Rails 3 test application in `spec/app_root` if you need to test integration with a live Rails app.
-- You may run single tests with a specified Rails version via `BUNDLE_GEMFILE=Gemfile.rails-7.0.haml-5 bundle exec rspec ./spec/angular_xss`
+- Prepare your changes, and ensure existing and new test are green:
+  - `bundle exec rake matrix:install` installs all dependencies for all Gemfiles
+  - `bundle exec rake matrix:spec` runs all specs in all configurations
+  - You may run single tests with a specified Rails version via `BUNDLE_GEMFILE=Gemfile.rails-7.0.haml-5 bundle exec rspec ./spec/angular_xss`
+- Push your changes with specs. There is a test application in `spec/app_root` if you need to test integration with a live Rails app.
 - Send a pull request.
 
-
 Credits
 -------
 

lib/angular_xss.rb

@@ -1,6 +1,7 @@
 #"string".respond_to?(:html_safe?) or raise "No rails_xss implementation present"
 
 require 'angular_xss/escaper'
+require 'angular_xss/output_buffer'
 require 'angular_xss/safe_buffer'
 require 'angular_xss/erb'
 require 'angular_xss/haml'

lib/angular_xss/erb.rb

@@ -1,33 +1,25 @@
-# Use module_eval so we crash when ERB::Util has not yet been loaded.
-ERB::Util.module_eval do
-
-  if private_method_defined? :unwrapped_html_escape # Rails 4.2+
-
-    def unwrapped_html_escape_with_escaping_angular_expressions(s)
-      s = s.to_s
-      if s.html_safe?
-        s
-      else
-        unwrapped_html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape(s))
-      end
+if ERB::Util.private_method_defined? :unwrapped_html_escape
+  # Rails 4.2+
+  # https://github.com/rails/rails/blob/main/activesupport/lib/active_support/core_ext/erb/util.rb
+  module ERBUtilExt
+    def html_escape_once(s)
+      super(AngularXss::Escaper.escape_if_unsafe(s))
     end
 
-    alias_method :unwrapped_html_escape_without_escaping_angular_expressions, :unwrapped_html_escape
-    alias_method :unwrapped_html_escape, :unwrapped_html_escape_with_escaping_angular_expressions
-
-    singleton_class.send(:remove_method, :unwrapped_html_escape)
-    module_function :unwrapped_html_escape
-    module_function :unwrapped_html_escape_without_escaping_angular_expressions
+    def unwrapped_html_escape(s)
+      super(AngularXss::Escaper.escape_if_unsafe(s))
+    end
+    # Note that html_escape() and h() are passively fixed as they are calling the two methods above
+  end
+  ERB::Util.prepend ERBUtilExt
+  ERB::Util.singleton_class.prepend ERBUtilExt
 
-  else # Rails < 4.2
+else
+  ERB::Util.module_eval do
+    # Rails < 4.2
 
     def html_escape_with_escaping_angular_expressions(s)
-      s = s.to_s
-      if s.html_safe?
-        s
-      else
-        html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape(s))
-      end
+      html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape_if_unsafe(s))
     end
 
     alias_method_chain :html_escape, :escaping_angular_expressions
@@ -41,7 +33,5 @@ def html_escape_with_escaping_angular_expressions(s)
     singleton_class.send(:remove_method, :html_escape)
     module_function :html_escape
     module_function :html_escape_without_escaping_angular_expressions
-
   end
-
 end