content_for fails to sanitize input when using HAML

See the following pages:

https://content-for-rails.herokuapp.com/works
https://content-for-rails.herokuapp.com/fails

* The first page is a **html.erb** while the second is a **HAML** variant. The source is [here](https://github.com/notalex/rails-6-sample/tree/master/app/views/home). The following is a snippet:

```ruby
%p HAML: content_for marks input as html_safe but does not sanitize it.
- content_for(:page_title) { "</title><script>alert('Pawned')</script>;" }
- puts content_for(:page_title) #=> prints unsanitized text marked as html_safe.
%p= content_for(:page_title)
```

* Debugging reveals that **content_for** when used in HAML does not sanitize given input.
* This issue is seen in HAML v1 & v2, Rails 4-6.
* Not sure whether this should be reported here or on Rails. This issue is only seen when using HAML with rails.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

content_for fails to sanitize input when using HAML #174

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

content_for fails to sanitize input when using HAML #174

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions