html escape about remotipart HOT 10 CLOSED

i encountered this under the following circumstance:

create.js.erb:

jQuery('#someid').replaceWith("<%= escape_javascript(render :partial => 'some/partial', :object => some_obj)) %>");

when the render of the partial included "

Applying the fix @tnedlacer suggests in https://github.com/woodwardjd/remotipart/tree/address_encoding_problem_branch works. Haven't thought too deeply about it, though.

If this makes sense to include I'll initiate a pull request. If not, comments?

from remotipart.

Please pull request!!

from remotipart.

@tnedlacer if you're using a recent bundler you can:

gem "remotipart", "~> 1.0", :github => 'woodwardjd/remotipart', :branch => 'address_encoding_problem_branch'

temporarily :)

from remotipart.

I'm not sure this makes sense to pull in. Looking at @tnedlacer's original code, his output is what would be expected for me.

render :js => "alert('& &amp; > &gt; < &lt; \" &quot;')"

& & > > < < " " # this would be expected output

For the specific use-case where the developer is specifically mixing html entities and raw characters, it looks odd, but thinking of this in terms of returning something like "this is a string with a variable & it is: #{value}", where our hard-coded string has a raw character, while the value may be passed from elsewhere and may be escaped. We use escape_once instead of html_escape (aka h) so we don't end up with input like '& & > > < < " "'.

from remotipart.

@tnedlacer : this seems related to my Issue #71. What does the patch in #72 do for your example?

from remotipart.

@yasirs It is the same as the fix I wanted.

woodwardjd@0b6fab7
ERB::Util.h == html_escape

from remotipart.

anyone having problems like this should review their code and search for escaped things like " getting rendered on the js response and change them to something like "

ie: my code was breaking because I was trying to render (via js) a partial that had something like this "#{foo.bar}" inside.

from remotipart.

I am able to reliably reproduce the problem I was seeing with the latest version of remotipart (1.0.5) and the test rails app in https://github.com/JangoSteve/Rails-jQuery-Demo/tree/remotipart

NOTE: as I look more closely, this appears to be a different problem than @tnedlacer's, though what fixes my situation might fix @tnedlacer's.

Here's how to reproduce. I need to move on to other stuff right now, and I bet @JangoSteve would be able to see what to do, if anything, right off the top of his head, so I'm not providing a patch unless requested, and I find some time.

$ git clone -b remotipart git://github.com/JangoSteve/Rails-jQuery-Demo.git
$ cd Rails-jQuery-Demo
$ bundle install
$ rake db:reset
$ rails s

Modify app/views/comments/create.js.erb so the append() function in the javascript is passed a string wrapped in double quotes (versus the default single quotes):

    $('#comments').append( "<%= escape_javascript(
      render @comment
    ) %>" );

Go to http://localhost:3000 and upload a comment with a file attachment. Everything works.

Now, add a " somewhere in the comment partial app/views/comments/_comment.html.erb like:

  <td><%= comment.subject %>&quot;</td>

Go to http://localhost:3000, refresh and upload a comment with a file attachment. Doesn't work. The failure is in the decoding and execution of the javascript on the client side (check out the Network tab in your firebug/inspector).

Now, go back to app/views/comments/create.js.erb and revert back to the default single quotes:

    $('#comments').append( '<%= escape_javascript(
      render @comment
    ) %>' );

Go to http://localhost:3000, refresh and upload a comment with a file attachment. Works again.

Now, go replace that " with a ' (ascii quote entity) in the comment partial:

  <td><%= comment.subject %>&#39;</td>

Go to http://localhost:3000, refresh and upload a comment with a file attachment. Doesn't work. The failure is in the decoding and execution of the javascript on the client side.

So, unless I messed something up here, it would seem that the recipe is "don't have entities for double quotes in what you're escaping if you're using double quotes in the javascript", and the similarly for single quotes. I think remotipart shouldn't fail in this manner, but I don't have the time right now to think hard about a patch.

Note: I would have submitted rspec specs exercising this if the test suite had executed out of the box on my machine. It did after patching it for capybara/poltergeist and slapping sleeps after each of the clicks. But I'm not about to upload that crap publicly ;)

from remotipart.

This should be fixed now from #72. Also, the test suite is behaving a bit better now. There were some issues with capybara and it's not waiting for ajax requests to finish like it's supposed to.

from remotipart.

Just a heads up that this isn't fixed. I'm having the same problem with a single quote in a js.erb file returned after a remotipart iframe submission. It seems like the root problem is that jQuery gets confused by the content type (because the response starts with <head> and contains other html tags, assumes it is html/text, and then escapes it as such, replacing ' with a single quote and breaking the javascript. In my case, a response containing something like:

$('<div>Steve&#39;s</div>') became $('<div>Steve's</div>')

I fixed the problem by changing my surrounding single quotes to double quotes, but in that case a double quote causes the same issue.

Remotipart version: 1.3.1
jQuery 1.12.4

from remotipart.