Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Response needs to be HTML escaped #123

Open
mdesantis opened this issue Jan 12, 2015 · 7 comments
Open

Response needs to be HTML escaped #123

mdesantis opened this issue Jan 12, 2015 · 7 comments

Comments

@mdesantis
Copy link

As I wrote in the issue #122, I have some response errors (no response execution, syntax errors, ...) due to the fact that the response contains a render partial: ..., and remotipart wraps response into a <textarea data-type="text/javascript">...</textarea>, so its content should be HTML escaped. I resolved turning the create.js.erb view from this:

<%- rendering = j render(partial: 'form_errors') %>
$('#form_errors').replaceWith('<%= rendering %>');

into this:

<%# .to_str turns an ActiveSupport::SafeBuffer instance into a String,
  which gets HTML escaped %>
<%- rendering = j render(partial: 'form_errors').to_str %>
$('#form_errors').replaceWith('<%= rendering %>');

I don't know whether this behaviour is expected or not, but I think it should at least documented in the Readme, since it leads to unexepcted errors.
@chrise86
Copy link

Had to do this recently, haven't had this problem in the past...

@tombeynon
Copy link

Thank you for raising this, spent a good few hours trying to work out this one. Particularly frustrating since remotipart also swallows ajax requests in the console. Agree that it should be documented.

@alexbrahastoll
Copy link

Thanks for sharing the solution @mdesantis , I was having the same issue here.

@mdesantis
Copy link
Author

You're welcome, happy to help

@yads
Copy link

yads commented Dec 23, 2015

There seems to be a difference from version 1.0 to 1.2 where the old code set the text like so:

responses = { text: type ? textarea.value : root ? root.innerHTML : null }

Whereas the new code does it like this:

content = {
                  html: root.innerHTML,
                  text: type ?
                    textarea.value :
                    root ? (root.textContent || root.innerText) : null
                };

So it's using root.textContent or root.innerText. I suspect root.textContent escapes any &#39; codes with single quotes. So then the javascript will be broken as it will have single quotes that are unescaped.

@jloosfelt
Copy link

Thanks @mdesantis as well. Your workaround made my day!

@snkshukla
Copy link

Thanks @mdesantis, This works if I have remotipart data, but currently, we have a scenario where we use the same form for different cases. If remotipart is not being used in that, then this fails because the response is HTML escaped.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@jloosfelt @mdesantis @yads @chrise86 @tombeynon @alexbrahastoll @snkshukla