This project is archived and is in readonly mode.
[PATCH] Fix generated html for remote_function so that ampersands can be used in passed in options
Reported by Andrew Kaspick | July 17th, 2010 @ 09:44 AM | in 3.x
The following code before this patch produced the following html...
<%=
tmp = "'object[name]=' + result + '&object[attr1]=' + attr1 + '&object[attr2]=' + attr2"
remote_function :url => objects_path, :method => :post,
:with => tmp.html_safe
%>
new Ajax.Request('/objects', {
asynchronous:true, evalScripts:true, method:'post',
parameters:
'object[name]=' + result + '&object[attr1]=' +
attr1 + '&object[attr2]=' + attr2 + '&authenticity_token=' +
encodeURIComponent('YAq5IJ6Cbfcy3Faebh3gJFKXiba9L87RB0i7m2fEmpg=')
})
Note the escaping of &'s to &
Without the patch the entire "Ajax..." string is unsafe due to concatenations of various options and strings even if we pass our parameter string as html_safe; an html_safe string concatenated with an unsafe string results in an unsafe string. Since our end result will always be an unsafe string the resulting javascript is escaped causing the invalid results to be produced.
With the patch, because the entire javascript string is made html_safe, we don't need to specify html_safe for our own string, so the following code...
<%=
remote_function :url => objects_path, :method => :post,
:with => "'object[name]=' + result + '&object[attr1]=' + attr1 + '&object[attr]=' + attr2"
%>
now results in the correct output of...
new Ajax.Request('/objects', {
asynchronous:true, evalScripts:true, method:'post',
parameters:
'object[name]=' + result + '&object[attr1]=' + attr1 +
'&object[attr2]=' + attr2 + '&authenticity_token=' +
encodeURIComponent('YAq5IJ6Cbfcy3Faebh3gJFKXiba9L87RB0i7m2fEmpg=')
})
Comments and changes to this ticket
-
Mislav July 17th, 2010 @ 12:58 PM
Tests are definitely in order. The fact that there were no tests previously is probably what lead to this breakage.
-
-
Andrew Kaspick July 17th, 2010 @ 11:25 PM
Updated patch again with a bit more detail to test the generated string as well.
-
Andrew Kaspick July 18th, 2010 @ 10:23 PM
- Tag changed from “remote_function patch” to “remote_function patch, tests”
-
Andrew Kaspick July 18th, 2010 @ 10:24 PM
- Tag changed from “remote_function patch, tests” to “patch, remote_function, tests”
-
Neeraj Singh July 21st, 2010 @ 04:17 AM
- Importance changed from “” to “Low”
@Andrew if you could edit the ticket so that code is not all in one line then that would be nice.
-
-
Neeraj Singh July 21st, 2010 @ 04:50 AM
- Milestone set to “3.x”
- State changed from “new” to “open”
- Tag changed from “patch, remote_function, tests” to “rails 3, patch, remote_function, tests”
- Assigned user set to “Santiago Pastorino”
patch looks good to me. But I haven't worked with html_safe much. Assigning it to Santiago.
-
Andrew Kaspick July 22nd, 2010 @ 01:40 AM
This patch can be closed now as it has now been committed. Thanks guys.
-
Santiago Pastorino July 22nd, 2010 @ 02:18 AM
- State changed from “open” to “resolved”
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
Jeremy Kemper
Neeraj Singh
Santiago Pastorino