This project is archived and is in readonly mode.

#2500 ✓duplicate
Jeroen van Dijk

remote_function does not allow dynamically generation of url

Reported by Jeroen van Dijk | April 15th, 2009 @ 05:18 PM | in 2.x

In ticket #180 the helper escape_javascript was introduced to prevent urls to corrupt javascript. However this patch also removes the possibility to use normal restful routes when the path is generated dynamically (with javascript).

The following code will not call users/:id but users/%20+%20value instead:

<%= select_tag :user_id, options_for_select( {|object| [,]  }) %>

<%= observe_field :user_id, :url => "#{users_path}/ + value" %>

In fact, I haven't found a possibility to do handle this situation without creating a custom route. This absolutely not what I want.

Shouldn't we add an option so that the javascript doesn't get evaluated?

Comments and changes to this ticket

  • Jeroen van Dijk

    Jeroen van Dijk April 16th, 2009 @ 10:30 AM

    I patched remote_function to solve my case while the default is still working. I have to figure out how to run the rails tests so I can add tests to it. In the mean while the following code calls /admin/mail_templates/:id.json because of the added options :escape_url

         options = {}
         options[:url] = "/admin/mail_templates/' + value + '.json"
         options[:escape_url] = false
         options[:method] ||= :get
         options[:complete] ||= "process_mail_template(request)"
         observe_field(:mail_template_id, options)

    This is my patch

    module ActionView
    	class Base
    		def remote_function(options)
          javascript_options = options_for_ajax(options)
          update = ''
          if options[:update] && options[:update].is_a?(Hash)
            update  = []
            update << "success:'#{options[:update][:success]}'" if options[:update][:success]
            update << "failure:'#{options[:update][:failure]}'" if options[:update][:failure]
            update  = '{' + update.join(',') + '}'
          elsif options[:update]
            update << "'#{options[:update]}'"
          function = update.empty? ?
            "new Ajax.Request(" :
            "new Ajax.Updater(#{update}, "
          url_options = options[:url]
          url_options = url_options.merge(:escape => false) if url_options.is_a?(Hash)
          function << (options[:escape_url] == false ? "'#{url_for(url_options)}'" : "'#{escape_javascript(url_for(url_options))}'")  ## <-- I added this line
          function << ", #{javascript_options})"
          function = "#{options[:before]}; #{function}" if options[:before]
          function = "#{function}; #{options[:after]}"  if options[:after]
          function = "if (#{options[:condition]}) { #{function}; }" if options[:condition]
          function = "if (confirm('#{escape_javascript(options[:confirm])}')) { #{function}; }" if options[:confirm]
          return function
  • anthony

    anthony May 4th, 2009 @ 08:08 PM

    I created the same ticket a few days ago and submitted a patch (almost identical to yours) before finding this ticket today. My ticket is number 2593:

    The main diff in my patch (other than the fact that I updated the docs and added a unit test) is that I deleted the :escape_url parameter before passing the options to options_for_ajax so it doesn't end up in the params hash in the ajax function call.

    Can we mark this as a dup and keep mine open as I've already generated the patch file?

  • Steve St. Martin

    Steve St. Martin April 15th, 2010 @ 10:25 PM

    • Assigned user set to “Ryan Bigg”

    duplicates #2593, mark as duplicate

  • Ryan Bigg

    Ryan Bigg April 15th, 2010 @ 10:27 PM

    • State changed from “new” to “duplicate”

    Duplicate of #2593.

  • Jeff Kreeftmeijer

    Jeff Kreeftmeijer November 7th, 2010 @ 04:55 PM

    • Tag cleared.
    • Importance changed from “” to “Low”

    Automatic cleanup of spam.

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>