Rails Erb w/ setAttribute "onclick"


#1

I’m trying to do this in a .js header:

tmp.setAttribute(“onclick”,’<%= remote_function(:update => “mainbody”,
:url => { :contoller => :subject, :action => :new }) %>’)

I’ve fiddled with the syntax slightly (eg, ’ vs " vs ") but the best I
seem to get is an “Illegal XML character” error from firebug, citing the
erb tag above, which tag worked fine in the page source itself.

How can use DOM to set an “onclick” method to rails/Erb function?


#2

After googling for a bit I now believe that you simply cannot put erb
tags in a .js file.

I managed to get around this by rewriting the DOM as html and putting it
in a partial, such that the (different) onclick that was supposed to
call a js function with erb in it now calls an erb function with a js
function in it…

<span onclick="<%= remote_function(:update => “dropinner”,
:url => { :action=>:rendpart, :part=>“addmenu” },
:success => “new Effect.BlindDown(‘dropmenu’)”)%>">

but if anyone knows how to do what I have in the OP, please lemme know
for future reference.

Also, is there a way to call “render” from within remote_function(:url
=> {}) so I can skip the controller function that calls render?

   def rendpart
              render :partial => params[:part]
   end

#3

On May 31, 8:24 pm, Mk 27 removed_email_address@domain.invalid wrote:

After googling for a bit I now believe that you simply cannot put erb
tags in a .js file.

Normal js files are just served as-is (and if you have set things up
right never even touch rails at all (ie they are server directly by
nginx or apache)).

if you have an action that renders a .js.erb template you’ll get what
you want.

for future reference.

Also, is there a way to call “render” from within remote_function(:url
=> {}) so I can skip the controller function that calls render?

Nope. remote_function just generates a blob of javascript that calls
an appropriate controller action

   def rendpart
              render :partial => params[:part]
   end

I have a sneaking suspicion that would allow an attacker to read any
file on your hard disk (by passing the absolute path to the file as
params[:part])

Fred


#4

Thanks Fred. Two more questions:

Frederick C. wrote:

Normal js files are just served as-is (and if you have set things up
right never even touch rails at all (ie they are server directly by
nginx or apache)).

if you have an action that renders a .js.erb template you’ll get what
you want.

Yes, I ran across some references to “.js.erb” files; unfortunately I
have not found much of an explanation of them. I have a couple of books
from the library (“The Art of Rails”, IMO at best mediocre, and “Ajax on
Rails” which seems great).

I even grepped through the API for “.js.erb” and it’s not in there
even once…perhaps the suffix recently changed? Anyway, any pointers
to reading material here would be much appreciated.

I have a sneaking suspicion that would allow an attacker to read any
file on your hard disk (by passing the absolute path to the file as
params[:part])

I just tried that; it might work if the filename has a _ for a prefix,
but I doubt that since the server error also refers to the “views path
app/views”.

I am just working at home while learning anyway. I was surprised when I
noticed I get unrestricted access to the filesystem by default; I
presume WEBrick was not intended for security. I would assume that
if/when I put something up on a real server, they will not be permitting
that possibility if it can be prevented? Otherwise I’m surprised anyone
hosts Rails at all…but further thoughts from anyone would be welcome.


#5

Mk 27 wrote:

I’m trying to do this in a .js header:

tmp.setAttribute(“onclick”,’<%= remote_function(:update => “mainbody”,
:url => { :contoller => :subject, :action => :new }) %>’)

[…]

How can use DOM to set an “onclick” method to rails/Erb function?

There’s a pattern I use quite often when I have to pass a value from a
Rails calculation to JS. Put the value in a hidden element, then have
the JS look at the value of that element. In your case:

CSS file

.hidden {display: none;}

ERb view file

<%= remote_function(:update => "mainbody", > :url => { :contoller => :subject, :action => :new }) %>

JS file

tmp.setAttribute(‘onclick’, $(‘remote’).innerHTML());

Does that help?

Best,

Marnen Laibow-Koser
http://www.marnen.org
removed_email_address@domain.invalid


#6

On May 31, 11:19 pm, Mk 27 removed_email_address@domain.invalid wrote:

I even grepped through the API for “.js.erb” and it’s not in there
even once…perhaps the suffix recently changed? Anyway, any pointers
to reading material here would be much appreciated.

template extensions have two parts: the js (or html, or something
else) tells rails what you are producing. the second part tells rails
what should be use to render it: erb, haml, markaby, builder etc…
js.erb just means 'this is javascript and you should run it through
erb first). Other than that there’s not a whole lot to explain.

I am just working at home while learning anyway. I was surprised when I
noticed I get unrestricted access to the filesystem by default; I
presume WEBrick was not intended for security. I would assume that
if/when I put something up on a real server, they will not be permitting
that possibility if it can be prevented? Otherwise I’m surprised anyone
hosts Rails at all…but further thoughts from anyone would be welcome.

that’s up to you really. Run your app code as a user that doesn’t have
access to more than it needs to.

Fred


#7

Marnen Laibow-Koser wrote:

Does that help?

Yeah, I see what you’re doing. Thanks Marnen.


#8

Marnen Laibow-Koser wrote:

I forgot the class=“hidden”, but the rest of the example is sound.

Best,
Marnen