Escape String - Output Rails String in JavaScript

Escape String - Output rails string in Javascript

You can use escape_javascript() to accomplish that:

var data = {
'name': "<%== escape_javascript @product.name %>",
#...
};

Link:
http://api.rubyonrails.org/classes/ActionView/Helpers/JavaScriptHelper.html#method-i-escape_javascript

The alias of this method is j:

 var data = {
'name': "<%== j @product.name %>"
}

How to UN-escape html strings

You can use html_safe for the same.

html_safe actually "sets the string" as HTML Safe (it's a little more complicated than that, but it's basically it). This way, you can return HTML Safe strings from helpers or models at will.

h can only be used from within a controller or view, since it's from a helper. It will force the output to be escaped. It's not really deprecated, but you most likely won't use it anymore: the only usage is to "revert" an html_safe declaration, pretty unusual.

Prepending your expression with raw is actually equivalent to calling html_safe on it, but, just like h, is declared on a helper, so it can only be used on controllers and views.

Here's a nice explanation on how the SafeBuffers (the class that does the html_safe magic) work: http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/

Properly Escaping a String inside a View

Found it:

https://guides.rubyonrails.org/3_0_release_notes.html

"7.4.3 Other Changes
You no longer need to call h(string) to escape HTML output, it is on by default in all view templates. If you want the unescaped string, call raw(string)."


escapeHTML() (or its alias h()) are from CGI::escapeHTML, which is a Ruby API implementation. If you aren't using Rails you still have a way to escape HTML. Rails may do some automagical handling of HTML in ERB files for display, and that is what you are probably referring to with html_escape "some string" and <%= "some string" %>. I think you are possibly confusing html_escape which you might need when displaying urls and such that are stored in the DB and you want the ERB processor to not mess it up? I know sometimes, particularly in .js.erb files I need to escape some things to get the result I was expecting. This is different than sanitizing. It seems in your example they are referring to something that you might accept and then redisplay, like a search string. If you put <i>hello</i> into a search box you would want to sanitize the input before passing it to the back end, or if you are using some javascript to filter you might want to escape it both for security reasons and to let it re-display correctly in the search box after you've filtered.

Edit: I was not able to find the answer to your comment in the ri doc either. But I tried:

<%= "<b>hello</b>" %>
<%= h("<b>hello</b>") %>

And got the same result in the browser:

<b>hello</b>
<b>hello</b>

So if you are asking if it is true, then I would say yes.

How to Unescape a JavaScript string in Ruby

That string is escaped twice. There are a few ways to unescape it. The easiest is eval, though it is not safe if you don't trust the input. However if you're sure this is a string encoded by ruby:

print eval(str)

Safer:

print YAML.load(%Q(---\n"#{str}"\n))

If it was a string escaped by javascript:

print JSON.load(%Q("#{str}"))

See also Best way to escape and unescape strings in Ruby?

How to use variable in javascript escape_javascript rails

After lots of research, I was able to find out why the presented approaches do not work. The problem is a misconception about the client-server model.

When the server finds escape to Ruby (<%= ... %>), it replaces the contents with something. In other words: the client do not receive whatever is inside the Escape to Ruby. With this in mind it's easy to see that the first approach ( <%= … :yt => " + yt + " … %>) is doomed: the contents inside the Escape to Ruby will be replaced by the server and so will never arrive the client in this format. In this particular case the server will concatenate all the strings generating something like “... :yt => + yt + …” that will be sent to the client.

The second approach is feasible since the server generates and sends to the client a string containing something like “... :xt => 'xt' … ”. The client into in it's turn to work replaces the xt by whatever it wants to be the value of the parameter. The problem is that it behaves like Schrodinger’s cat: It's value becaames both 'xt' and "[1,2,3]". This must be some Ruby internals, and I have no clue why happens.

Anyway, since both methods do not work I engineered a solution by using actions in a controller that was created just to keep the values of the parameters. In the JavaScript portion of the code, I send an Ajax request to set the value of the parameters in a controller#action class variables. Inside The View I get the controller#action class variable values with a Json request.

Ugly(?), but works.

How to HTML encode/escape a string? Is there a built-in?

The h helper method:

<%=h "<p> will be preserved" %>

Best way to escape and unescape strings in Ruby?

Ruby 2.5 added String#undump as a complement to String#dump:

$ irb
irb(main):001:0> dumped_newline = "\n".dump
=> "\"\\n\""
irb(main):002:0> undumped_newline = dumped_newline.undump
=> "\n"

With it:

def escape(s)
s.dump[1..-2]
end

def unescape(s)
"\"#{s}\"".undump
end

$irb
irb(main):001:0> escape("\n \" \\")
=> "\\n \\\" \\\\"
irb(main):002:0> unescape("\\n \\\" \\\\")
=> "\n \" \\"

Rails escape_javascript creates invalid JSON by escaping single quotes

Just call .to_json on a string and it will be escaped properly e.g.

"foo'bar".to_json


Related Topics



Leave a reply



Submit