This project is archived and is in readonly mode.
remote_function does not allow dynamically generation of url
Reported by Jeroen van Dijk | April 15th, 2009 @ 05:18 PM | in 2.x
In ticket #180 the helper escape_javascript was introduced to prevent urls to corrupt javascript. However this patch also removes the possibility to use normal restful routes when the path is generated dynamically (with javascript).
The following code will not call users/:id but users/%20+%20value instead:
<%= select_tag :user_id, options_for_select( User.all.map {|object| [object.name, object.id] }) %>
<%= observe_field :user_id, :url => "#{users_path}/ + value" %>
In fact, I haven't found a possibility to do handle this situation without creating a custom route. This absolutely not what I want.
Shouldn't we add an option so that the javascript doesn't get evaluated?
Comments and changes to this ticket
-
Jeroen van Dijk April 16th, 2009 @ 10:30 AM
I patched remote_function to solve my case while the default is still working. I have to figure out how to run the rails tests so I can add tests to it. In the mean while the following code calls /admin/mail_templates/:id.json because of the added options :escape_url
options = {} options[:url] = "/admin/mail_templates/' + value + '.json" options[:escape_url] = false options[:method] ||= :get options[:complete] ||= "process_mail_template(request)" observe_field(:mail_template_id, options)This is my patch
module ActionView class Base def remote_function(options) javascript_options = options_for_ajax(options) update = '' if options[:update] && options[:update].is_a?(Hash) update = [] update << "success:'#{options[:update][:success]}'" if options[:update][:success] update << "failure:'#{options[:update][:failure]}'" if options[:update][:failure] update = '{' + update.join(',') + '}' elsif options[:update] update << "'#{options[:update]}'" end function = update.empty? ? "new Ajax.Request(" : "new Ajax.Updater(#{update}, " url_options = options[:url] url_options = url_options.merge(:escape => false) if url_options.is_a?(Hash) function << (options[:escape_url] == false ? "'#{url_for(url_options)}'" : "'#{escape_javascript(url_for(url_options))}'") ## <-- I added this line function << ", #{javascript_options})" function = "#{options[:before]}; #{function}" if options[:before] function = "#{function}; #{options[:after]}" if options[:after] function = "if (#{options[:condition]}) { #{function}; }" if options[:condition] function = "if (confirm('#{escape_javascript(options[:confirm])}')) { #{function}; }" if options[:confirm] return function end end end -
anthony May 4th, 2009 @ 08:08 PM
I created the same ticket a few days ago and submitted a patch (almost identical to yours) before finding this ticket today. My ticket is number 2593: https://rails.lighthouseapp.com/...
The main diff in my patch (other than the fact that I updated the docs and added a unit test) is that I deleted the :escape_url parameter before passing the options to options_for_ajax so it doesn't end up in the params hash in the ajax function call.
Can we mark this as a dup and keep mine open as I've already generated the patch file?
-
Steve St. Martin April 15th, 2010 @ 10:25 PM
- Assigned user set to “Ryan Bigg”
duplicates #2593, mark as duplicate
-
-
Jeff Kreeftmeijer November 7th, 2010 @ 04:55 PM
- Tag cleared.
- Importance changed from “” to “Low”
Automatic cleanup of spam.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
Guillermo Asernitzky
Jeremy Kemper
Ryan Bigg