From f8e92a4dfede6703f82e2b81480b9da75bbfe0ad Mon Sep 17 00:00:00 2001
From: Dan Sketcher <dan@sketcher.net>
Date: Fri, 28 May 2010 15:41:12 +1000
Subject: [PATCH 1/2] Add support for Rails XSS protection

---
 lib/semantic_menu.rb | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/lib/semantic_menu.rb b/lib/semantic_menu.rb
index 7d77609..13f1532 100644
--- a/lib/semantic_menu.rb
+++ b/lib/semantic_menu.rb
@@ -22,7 +22,7 @@ def add(title, link, link_opts={}, &block)
   end
   
   def to_s
-    content_tag :li, link_to(@title, @link, @link_opts) + child_output, ({:class => 'active'} if active?)
+    content_tag :li, SemanticMenu::Util.html_safe(link_to(@title, @link, @link_opts) + child_output), ({:class => 'active'} if active?)
   end
   
   def level_class
@@ -30,7 +30,7 @@ def level_class
   end
   
   def child_output
-    children.empty? ? '' : content_tag(:ul, @children.collect(&:to_s).join, :class => level_class)
+    children.empty? ? '' : content_tag(:ul, SemanticMenu::Util.html_safe(@children.collect(&:to_s).join), :class => level_class)
   end
   
   def active?
@@ -44,6 +44,29 @@ def on_current_page?
 end
 
 class SemanticMenu < MenuItem
+  # Adapted from Formtastic::Util, which was in turn
+  # Adapted from the rails3 compatibility shim in Haml 2.2
+  module Util
+    extend self
+    ## Rails XSS Safety
+
+    # Returns the given text, marked as being HTML-safe.
+    # With older versions of the Rails XSS-safety mechanism,
+    # this destructively modifies the HTML-safety of `text`.
+    #
+    # @param text [String]
+    # @return [String] `text`, marked as HTML-safe
+    def html_safe(text)
+      return text if text.nil?
+      return text.html_safe if defined?(ActiveSupport::SafeBuffer)
+      return text.html_safe!
+    end
+
+    def rails_safe_buffer_class
+      return ActionView::SafeBuffer if defined?(ActionView::SafeBuffer)
+      ActiveSupport::SafeBuffer
+    end
+  end
   
   def initialize(controller, opts={},&block)
    @@controller = controller
@@ -55,6 +78,6 @@ def initialize(controller, opts={},&block)
   end
 
   def to_s
-    content_tag(:ul, @children.collect(&:to_s).join, @opts)
+    content_tag(:ul, SemanticMenu::Util.html_safe(@children.collect(&:to_s).join), @opts)
   end
 end

From 7bbf5e1b07bfb41e096f9db1ac7dcea4a3141e00 Mon Sep 17 00:00:00 2001
From: Dan Sketcher <dan@sketcher.net>
Date: Fri, 18 Feb 2011 13:17:47 +1000
Subject: [PATCH 2/2] Replace deprecated Kernel#returning with Object#tap

---
 lib/semantic_menu.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/semantic_menu.rb b/lib/semantic_menu.rb
index 13f1532..83e55c7 100644
--- a/lib/semantic_menu.rb
+++ b/lib/semantic_menu.rb
@@ -15,7 +15,7 @@ def initialize(title, link, level, link_opts={})
   end
   
   def add(title, link, link_opts={}, &block)
-    returning(MenuItem.new(title, link, @level +1, link_opts)) do |adding|
+    MenuItem.new(title, link, @level +1, link_opts).tap do |adding|
       @children << adding
       yield adding if block_given?
     end