Forum: Ruby on Rails proper escaping

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
parker (Guest)
on 2005-12-09 00:08
(Received via mailing list)
Hello all,

I have a tricky issue with escape_javascript and render/render_to_string
I'm looking for some comments on.  Brief background, I'm making a gmaps
interface and am trying to render a partial to a string in my controller
so I can pass it through to my maps object (a library) for handling.

To make this work I need to escape the text returned by the template.
However, I can't do this right before passing it to the object, since
escape_javascript is only available in the view.

My next thought was to define a container template that did nothing but
escape the content, e.g.:

<%= escape_javascript render_to_string :partial => 'inner_template' %>

The problem with this is that render_to_string is only available to the
controller.  So, I can't escape after the fact, or render a string in
the
template, where I could escape it.

Anyone solved this short of re-implementing escape_javascript and making
that available to the controller?

Thanks as always for the help,

pt.
------
Parker T.
Professional
(w) http://placesite.com
(c) 510.541.0125
skaes (Guest)
on 2005-12-09 07:23
(Received via mailing list)
Parker T. wrote:

> escape_javascript is only available in the view.
> Anyone solved this short of re-implementing escape_javascript and
> making that available to the controller?
>
> Thanks as always for the help,

You can invoke anny helper function through the @template instance
variable in the controller. So you'd write:

  escaped_js = @template.escape_javascript(render_to_string(:partial =>
'inner_template'))

HTH,

-- stefan

http://railsexpress.de/blog
parkert (Guest)
on 2005-12-09 19:27
(Received via mailing list)
On 12/8/05, Stefan K. <removed_email_address@domain.invalid> wrote:

> You can invoke anny helper function through the @template instance
> variable in the controller. So you'd write:
>
>   escaped_js = @template.escape_javascript(render_to_string(:partial =>
> 'inner_template'))

Ah very interesting, thanks.  And now for the follow-up....

What I'm trying to do is link_to remote and fetch some information
(profile), along with a form(comment form) that itself uses a
form_remote tag to submit.  The form is fetched and *looks* properly
escaped, but when I try to submit I get js errors in firefox (included
below), though not in safari.  In both cases though, clicking 'submit'
uses a normal post rather than making an xmlhttp request.

I could work around this by pre-including a form and using my data
fetch to return some js that would fill some hidden fields (to
associate the profile with the comment), but that's a poor work
around.  I could see wanting to do this same thing, but return a form
with edit-in-place fields, which could not be worked around.

the gory details:

js error in firefox on submitting comment form:

Error: missing ) after argument list
Source Code:
g:function(request){$('mapped_place_add_comment_link').value =
'Adding...'; $('mapped_place_comment_link'.disabled = true;},
parameters:Form.serialize(this)}); return false;

js returned by the server to generate profile, including comment form:

$('map_current_place_profile').innerHTML = '\n<div
id=\"profile_container\">\n\n  <div class=\"sectionHeader\">\n
gghhjjkjk\n  </div>\n\n  <div id=\"profileBody\">\n      sdfgghhh\n
</div>\n\n</div>\n\n<div
class=\"subSectionHeader\">Comments</div>\n<div
id=\"place_comments\">\n\n</div>\n\n<div id=\"place_comment_form\">\n
<!--  render( \'mapped_place_comments/add\', :object =>
MappedPlaceComment.new, :locals => {:mapped_place => @mapped_place} )
-->\n  \n  <div id=\"mapped_place_add_comment\" style=\"\">\n  <form
action=\"/mapped_places/add_comment\" method=\"post\" onsubmit=\"new
Ajax.Request(\'/mapped_places/add_comment\', {asynchronous:true,
evalScripts:true,
onComplete:function(request){$(\'mapped_place_comment_link\').value =
\'Add Comment\'; $(\'mapped_place_comment_link\').disabled = false;
eval(request.responseText);},
onLoading:function(request){$(\'mapped_place_add_comment_link\').value
= \'Adding...\'; $(\'mapped_place_comment_link\'.disabled = true;},
parameters:Form.serialize(this)}); return false;\>\n\n  <!--
error_messages_for \'mapped_place_comment\' -->
\n\n<!--[form:mapped_place_comments]-->\n<p><label
for=\"mapped_place_comments_title\">Title</label>\n<input
id=\"mapped_place_comments_title\"
name=\"mapped_place_comments[title]\" size=\"30\" type=\"text\"
/></p>\n\n<p><label
for=\"mapped_place_comments_body\">Body</label>\n<textarea cols=\"30\"
id=\"mapped_place_comments_body\" name=\"mapped_place_comments[body]\"
rows=\"5\"></textarea></p>\n<!--[eoform:mapped_place_comments]-->\n\n\n
 <input id=\"mapped_place_comment_mapped_place_id\"
name=\"mapped_place_comment[mapped_place_id]\" type=\"hidden\"
value=\"65\" />\n\n  <input value=\"Cancel\" type=\"button\"
onclick=\"baffo();\" />\n  <input id=\"mapped_place_comment_link\"
name=\"commit\" type=\"submit\" value=\"Add Comment\ />\n  \n
</form>\n  </div>\n\n</div>\n\n</div>\n';

Thanks,

pt.
--
Parker T.
http://www.parkert.com/
510.541.0125
This topic is locked and can not be replied to.