Forum: Ruby on Rails rails Erb w/ setAttribute "onclick"

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
68814ed988eee4f21b2cd07353e5e445?d=identicon&s=25 Mk 27 (mk27)
on 2009-05-31 19:57
I'm trying to do this in a .js header:

tmp.setAttribute("onclick",'<%= remote_function(:update => "mainbody",
:url => { :contoller => :subject, :action => :new }) %>')

I've fiddled with the syntax slightly (eg, ' vs " vs \") but the best I
seem to get is an "Illegal XML character" error from firebug, citing the
erb tag above, which tag worked fine in the page source itself.

How can *use DOM* to set an "onclick" method to rails/Erb function?
68814ed988eee4f21b2cd07353e5e445?d=identicon&s=25 Mk 27 (mk27)
on 2009-05-31 21:24
After googling for a bit I now believe that you simply *cannot* put erb
tags in a .js file.

I managed to get around this by rewriting the DOM as html and putting it
in a partial, such that the (different) onclick that was supposed to
call a js function with erb in it now calls an erb function with a js
function in it...

<span onclick="<%= remote_function(:update => "dropinner",
        :url => { :action=>:rendpart, :part=>"addmenu" },
        :success => "new Effect.BlindDown('dropmenu')")%>">

but if anyone knows how to do what I have in the OP, please lemme know
for future reference.

Also, is there a way to call "render" from within remote_function(:url
=> {}) so I can skip the controller function that calls render?

       def rendpart
                  render :partial => params[:part]
       end
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2009-05-31 23:31
(Received via mailing list)
On May 31, 8:24 pm, Mk 27 <rails-mailing-l...@andreas-s.net> wrote:
> After googling for a bit I now believe that you simply *cannot* put erb
> tags in a .js file.
>

Normal js files are just served as-is (and if you have set things up
right never even touch rails at all (ie they are server directly by
nginx or apache)).

if you have an action that renders a .js.erb template you'll get what
you want.

> for future reference.
>
> Also, is there a way to call "render" from within remote_function(:url
> => {}) so I can skip the controller function that calls render?

Nope. remote_function just generates a blob of javascript that calls
an appropriate controller action
>
>        def rendpart
>                   render :partial => params[:part]
>        end

I have a sneaking suspicion that would allow an attacker to read any
file on your hard disk (by passing the absolute path to the file as
params[:part])

Fred
68814ed988eee4f21b2cd07353e5e445?d=identicon&s=25 Mk 27 (mk27)
on 2009-06-01 00:19
Thanks Fred.  Two more questions:

Frederick Cheung wrote:

> Normal js files are just served as-is (and if you have set things up
> right never even touch rails at all (ie they are server directly by
> nginx or apache)).
>
> if you have an action that renders a .js.erb template you'll get what
> you want.

Yes, I ran across some references to ".js.erb" files; unfortunately I
have not found much of an explanation of them. I have a couple of books
from the library ("The Art of Rails", IMO at best mediocre, and "Ajax on
Rails" which seems great).

I even grepped through the API for "\.js\.erb" and it's not in there
even once...perhaps the suffix recently changed?  Anyway, any pointers
to reading material here would be much appreciated.

> I have a sneaking suspicion that would allow an attacker to read any
> file on your hard disk (by passing the absolute path to the file as
> params[:part])

I just tried that; it might work if the filename has a _ for a prefix,
but I doubt that since the server error also refers to the "views path
app/views".

I am just working at home while learning anyway.  I was surprised when I
noticed I get unrestricted access to the filesystem by default; I
presume WEBrick was not intended for security.  I would assume that
if/when I put something up on a real server, they will not be permitting
that possibility if it can be prevented?  Otherwise I'm surprised anyone
hosts Rails at all...but further thoughts from anyone would be welcome.
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2009-06-01 00:36
(Received via mailing list)
On May 31, 11:19 pm, Mk 27 <rails-mailing-l...@andreas-s.net> wrote:
> I even grepped through the API for "\.js\.erb" and it's not in there
> even once...perhaps the suffix recently changed?  Anyway, any pointers
> to reading material here would be much appreciated.
>
template extensions have two parts: the js (or html, or something
else) tells rails what you are producing. the second part tells rails
what should be use to render it: erb, haml, markaby, builder etc...
js.erb just means 'this is javascript and you should run it through
erb first). Other than that there's not a whole lot to explain.

>
> I am just working at home while learning anyway.  I was surprised when I
> noticed I get unrestricted access to the filesystem by default; I
> presume WEBrick was not intended for security.  I would assume that
> if/when I put something up on a real server, they will not be permitting
> that possibility if it can be prevented?  Otherwise I'm surprised anyone
> hosts Rails at all...but further thoughts from anyone would be welcome.

that's up to you really. Run your app code as a user that doesn't have
access to more than it needs to.

Fred
Dd2d775dea75b381edb1bbf0600a0907?d=identicon&s=25 Marnen Laibow-Koser (marnen)
on 2009-06-01 01:07
Mk 27 wrote:
> I'm trying to do this in a .js header:
>
> tmp.setAttribute("onclick",'<%= remote_function(:update => "mainbody",
> :url => { :contoller => :subject, :action => :new }) %>')

[...]
>
> How can *use DOM* to set an "onclick" method to rails/Erb function?

There's a pattern I use quite often when I have to pass a value from a
Rails calculation to JS.  Put the value in a hidden element, then have
the JS look at the value of that element.  In your case:

### CSS file
.hidden {display: none;}

### ERb view file
<div id='remote'>
  <%= remote_function(:update => "mainbody",
> :url => { :contoller => :subject, :action => :new }) %>
</div>

### JS file
tmp.setAttribute('onclick', $('remote').innerHTML());

Does that help?

Best,
--
Marnen Laibow-Koser
http://www.marnen.org
marnen@marnen.org
Dd2d775dea75b381edb1bbf0600a0907?d=identicon&s=25 Marnen Laibow-Koser (marnen)
on 2009-06-01 01:09
Marnen Laibow-Koser wrote:
> <div id='remote'>
I forgot the class="hidden", but the rest of the example is sound.

Best,
Marnen
68814ed988eee4f21b2cd07353e5e445?d=identicon&s=25 Mk 27 (mk27)
on 2009-06-01 01:40
Marnen Laibow-Koser wrote:

> Does that help?

Yeah, I see what you're doing.  Thanks Marnen.
This topic is locked and can not be replied to.