Re-ignore HAML escape method

ca109fc7 · Justin Collins · 77f12cf3 · ca109fc7 · ca109fc7 · ca109fc7
3 changed file
--- a/lib/brakeman/checks/check_cross_site_scripting.rb
+++ b/lib/brakeman/checks/check_cross_site_scripting.rb
@@ -290,6 +290,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
    safe_input_attribute?(target, method) or
    ignored_model_method?(method) or
    form_builder_method?(target, method) or
+    haml_escaped?(target, method) or
    boolean_method?(method) or
    cgi_escaped?(target, method) or
    xml_escaped?(target, method)
@@ -311,6 +312,10 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
    (target == URI or target == CGI)
  end

+  def haml_escaped? target, method
+    method == :html_escape and target == HAML_HELPERS
+  end
+
  def xml_escaped? target, method
    method == :escape_xml and target == XML_HELPER
  end

--- a/test/apps/rails3.1/app/views/users/interpolated_value.html.haml
+++ b/test/apps/rails3.1/app/views/users/interpolated_value.html.haml
+.escaped_thing
+  Hi #{params[:awesomeness]}
--- a/test/tests/rails31.rb
+++ b/test/tests/rails31.rb
@@ -806,6 +806,17 @@ class Rails31Tests < Test::Unit::TestCase
      :file => /json_test\.html\.erb/
  end

+  def test_cross_site_scripting_in_haml_interp
+    assert_warning :type => :template,
+      :warning_code => 5,
+      :fingerprint => "56acfae7db5bda36a971702c819899043e7f62c8623223f353a1ade876454712",
+      :warning_type => "Cross Site Scripting",
+      :line => 2,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 2,
+      :relative_path => "app/views/users/interpolated_value.html.haml"
+  end
+
  def test_arel_table_in_sql
    assert_no_warning :type => :warning,
      :warning_type => "SQL Injection",