SpringFlowers AutumnMoon wrote:
> I wonder on RoR, will there be a need sometimes to pass some data from
> Ruby to Javascript?
>
> 1) var title = ______________ ;
<script type="text/javascript" charset="utf-8">
var title = '<%= h @my_var -%>'
</script>
>
> What is the proper way to do it (fill in the code for ______________ )
> if title can have newline character, or single / double quote or any
> weird character. and what's more, what if the title from database can
> have <script> tags, so the code need to do cross-site scripting (xss)
> prevention, say, if the title needs to be set into a div's innerHTML
> later.
>
> 2) further more, what if we do
>
> <a href="#" onclick="changeIt(______________); return false;">Click
> me</a>
>
> This case is more complicated, since I think there is a rule that says,
> anything inside the attribute's value will first be parsed by the
> browser as HTML first, so this is a little trickier than case (1).
<a href="#" onclick="changeIt('<%= h @my_var -%>'); return false;">Click
me</a>
However, I think you're right about the format of the string object.
HTML escape won't provide what you want so you probably need to write
your own sanitizing helper and use that in place of html_escape (h)
helper. A quick-and-dirty one I came up with was
my_var.gsub(/[\n\'\"<>]/, ""). I'm sure that's probably not
comprehensive, but does seem to take care of the issues mentioned here.
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
