2.2.5 will support it, too, as long as you’ve installed the plugin. All strings that are printed to a template will be HTML-escaped by default - if you have a string that’s known to be safe, you’ll need to manually mark it as such. This will make it much harder to make the kind of mistakes that allow XSS vulnerabilities into your app.

Haml’s supported a similar sort of XSS protection since version 2.0. If the :escape_html option is set to true, all strings are HTML-escaped by default. Special syntax is then used to insert raw HTML into the document. This option is generally not enabled by default in order to preserve backwards compatibility and to be consistent with what the user expects.

Haml versions 2.2.9 and onward support Rails’ XSS protection. This means that if you’ve got XSS protection enabled (either you’re running 2.2.5+ with the plugin, or you’re running 3.0 without the disabling plugin), Haml will escape everything by default just like ERB. It does this by enabling :escape_html, which means that you can still use the unescaping syntax to insert a raw string.

I’ve just rolled out a new version of the Haml and Sass websites. The main design is largely changed, but the backend is: it’s now running on DynamicMatic, my StaticMatic/Sinatra bridge.

StaticMatic is a website compiler using Haml and Sass. It compiled Sass stylesheets and Haml pages in to HTML and CSS, and provides all sorts of useful helpers, as well as layouts and partials. Its output is a static website that’s ready to serve with any standard server.

The old Haml website hosted at haml.hamptoncatlin.com used Radiant CMS to manage its content. This worked fine, but it was a bit of a pain to update it via the web interface, and creating relatively complex Haml layouts was difficult. For the new sites, I wanted something where the code could be kept in Git and compiled to static (and easily-servable) HTML and CSS whenever we deployed. StaticMatic fulfilled this purpose admirably.