Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #4821 (reopened defect)

Opened 2 years ago

Last modified 2 years ago

update_page yields escaped js when used in remote callback

Reported by: evronm@dtcinc.net Assigned to: David
Priority: normal Milestone:
Component: ActionPack Version: 1.1.1
Severity: major Keywords: update_page escaped code callback
Cc:

Description

I posted about this at ruby-forum but haven't gotten any answers. But the subject line pretty much sums it up. Here's the souce code in question: 

<%= link_to_remote 'Foobar',
  {:url => {:action => 'new'}, 
  :update => 'contact',
  :complete => "alert('aaaa')"},
  :id => "new_tab", :class => 'tab'
%>

<%= link_to_remote 'Foobar',
  {:url => {:action => 'new'}, 
  :update => 'contact',
  :complete => update_page do |page| 
        page.alert('aaaa')
        end },
  :id => "new_tab", :class => 'tab'
%>

They should yield the same thing, but in the second example, the onComplete callback ends up reading: 

alert(&quot;aaaa&quot;)

I did quite a bit of digging in the source code, and the only place I could find where the escaping might be happening is in the url_for method. However, these callbacks should never be passed to url_for, so I am stumped.

I would really appreciate it if someone more familiar with the source code could fix this or at least provide a reasonable workaround.

BTW, I am using Rails v1.1.2, which does not appear in the dropdown.

Thanks much.

Change History

04/20/06 20:12:09 changed by sam

  • status changed from new to closed.
  • resolution set to invalid.

This behavior isn't supported yet. We're still investigating the right way to use update_page blocks in callbacks for the various Ajax helpers. However, the update_page semantics won't change. See [4235] for one step we've recently taken in this direction.

I'm closing this as invalid for now, but please do feel free to discuss possible options further either in this ticket or on the Rails core ML.

04/20/06 20:56:30 changed by evronm@dtcinc.net

  • status changed from closed to reopened.
  • resolution deleted.

Well, here's the strange thing: the behavior IS supported, whether you intended it or not.

I've done a bunch of source code spelunking, and finally found the one culprit: tag_helper.

If it is modified to look as follows: 

def tag_options(options)
  cleaned_options = convert_booleans(options.stringify_keys.reject {|key, value| value.nil?})
  ' ' + cleaned_options.map {|key, value| %(#{key}="#{value.to_s}")}.sort * ' ' unless cleaned_options.empty?
end

This behavior will work, right out of the box, no further changes necessary. It's easy enough to put h() around your callback values if you want it.

However, such a change might break some existing code, so I'd like peoples opinions on alternatives before submitting a patch. There is a topic open on the Rails Core ML about this as well, for just that reason.

BTW, you I had a look at 4235. Great idea, but I suspect you'll run into exactly the same problem.

I hope you don't mind me reopening this ticket, since it doesn't just affect update_page rendered js, but any js with double quotes in it...