Rails escape_javascript creates invalid JSON by escaping single quotes - ruby-on-rails

The escape_javascript method in ActionView escapes the apostrophe ' as backslash apostrophe \', which gives errors when parsing as JSON.
For example, the message "I'm here" is valid JSON when printed as:
{"message": "I'm here"}
But, <%= escape_javascript("I'm here") %> outputs "I\'m here", resulting in invalid JSON:
{"message": "I\'m here"}
Is there a patch to fix this, or an alternate way to escape strings when printing to JSON?

Just call .to_json on a string and it will be escaped properly e.g.
"foo'bar".to_json

I ended up adding a new escape_json method to my application_helper.rb, based on the escape_javascript method found in ActionView::Helpers::JavaScriptHelper:
JSON_ESCAPE_MAP = {
'\\' => '\\\\',
'</' => '<\/',
"\r\n" => '\n',
"\n" => '\n',
"\r" => '\n',
'"' => '\\"' }
def escape_json(json)
json.gsub(/(\\|<\/|\r\n|[\n\r"])/) { JSON_ESCAPE_MAP[$1] }
end
Anyone know of a better workaround than this?

May need more details here, but JSON strings must use double quotes. Single quotes are okay in JavaScript strings, but not in JSON.

I had some issues similar to this, where I needed to put Javascript commands at the bottom of a Rails template, which put strings into jQuery.data for later retrieval and use.
Whenever I had a single-quote in the string I'd get a JavaScript error on loading the page.
Here is what I did:
-content_for :extra_javascript do
:javascript
$('#parent_#{parent.id}').data("jsonized_children", "#{escape_javascript(parent.jsonized_children)}");

Already there is an issue in github/rails
https://github.com/rails/rails/issues/8844
Fix to mark the string as html_safe
<%= escape_javascript("I'm here".html_safe) %>
or even better you can sanitize the string
<%= sanitize(escape_javascript("I'm here")) %>
<%= escape_javascript(sanitize("I'm here")) %>

Related

How to write correctly <%= t('.title_#{Time.now.wday}') %>?

Usually to add a word (for my multilanguage website) I use this system: <%= t('.title') %>
Now in config/locales/en.yml, I added something like this:
en:
home:
title: Title
title_0: Finally Sunday! Watch this title
title_1: Hey! It's monday! This is the Title
And I want to use Time.now.wday and to create something like <%= t('.title_#{Time.now.wday}') %>
But it doesn't work. How to write it correctly?
That's because you need double quotes for string interpolation in Ruby. Just replace
<%= t('.title_#{Time.now.wday}') %>
for
<%= t(".title_#{Time.now.wday}") %>
although it maybe should be
<%= t("home.title_#{Time.now.wday}") %>
because title, title_0 and title_1 are nested under home
Interpolation does not work with single quotes
That means that:
puts "Works in double quoted strings: #{1 + 2}."
puts 'Not not work in single quoted strings: #{1 + 2}.'
will print out:
"Works in double quoted strings: 3."
"Does not work in single quoted strings: #{1 + 2}."
source: http://ruby-for-beginners.rubymonstas.org/bonus/string_interpolation.html

How to replace Space with Line Break in Ruby on Rails?

I am trying to replace Space in a string with Line Break in Ruby on Rails,
name = 'john smith'
i have tried the following so far:
name.gsub!(" ", "\n")
name.gsub!(" ", "<br>")
name.sub(" ", "\n")
name.sub(" ", "<br>")
but none of the above worked.
You have to be careful when marking a string as html_safe, especially if it may contain user input:
name = 'john smith<script>alert("gotcha")</script>'
name.gsub(' ', '<br>').html_safe
#=> "john<br>smith<script>alert(\"gotcha\")</script>"
Rails would output that string as-is, i.e. including the <script> tag.
In order to take advantage of Rails' HTML escaping, you should only mark the trusted parts as being html_safe. For a manually concatenated string:
''.html_safe + 'john' + '<br>'.html_safe + 'smith<script>alert("gotcha")</script>'
#=> "john<br>smith<script>alert("gotcha")</script>"
As you can see, only the <br> tag was left intact, the remaining parts were properly escaped.
There are several helpers for building safe strings as well as for building HTML tags. In your case, I'd use safe_join and tag:
name = 'john smith<script>alert("gotcha")</script>'
safe_join(name.split(' '), tag(:br))
#=> "john<br />smith<script>alert("gotcha")</script>"
While printing it in html you will need to use raw, otherwise rails will escape the tags
= raw name.gsub(" ", "<br>")
Try another one:
<%= name.gsub(" ", "<br>").html_safe %>
html_safe :
Marks a string as trusted safe. It will be inserted into HTML with no additional escaping performed.
"<a>Hello</a>".html_safe
#=> "<a>Hello</a>"
nil.html_safe
#=> NoMethodError: undefined method `html_safe' for nil:NilClass
raw :
raw is just a wrapper around html_safe. Use raw if there are chances that the string will be nil.
raw("<a>Hello</a>")
#=> "<a>Hello</a>"
raw(nil)
#=> ""

Truncate & Simple Format String in Ruby on Rails

I am trying to take a string and render it with simple_format while at the same time truncating it. It works when I just use one or the other, but not when I do both. Why is this not doing simple_format and truncating simultaneously.
Controller
myString = "Apple’s New Laptop"
View
<%= simple_format truncate( myString, :length => 20 ) %>
The way to do this is to truncate after you have used simple_format on the string. Since truncate escapes the string by default, you have to use the escape: false option.
> myString = "Apple’s New Laptop"
> truncate(simple_format(myString), escape: false)
> => "<p>Apple’s New Laptop..."
> truncate(simple_format(myString), escape: false, length: 19)
> => "<p>Apple’s..."
This has the potential to create unbalanced HTML tags by cutting the </p> for example, so use carefully.
There was something changed in the truncate-helper in Rails 4.
The documentation does tells us:
The result is marked as HTML-safe, but it is escaped by default, unless :escape is false.
http://apidock.com/rails/v4.0.2/ActionView/Helpers/TextHelper/truncate
Rails normally escapes all strings. If you just want to put some unicode chars in strings in your code, you can do it by using the \u notation with the hexadecimal code. Then truncate will also count the char as exactly one char.
myString = "Apple\u2019s New Laptop"
This might be late but useful to someone else. This worked for me.
<%= truncate(myString, escape: false, length: 20 ) %>

Ruby & Rails: Variable in string

This is my code and it is loaded in a helper-class
output += '<button class="del_account" param-del="{account.id}">delete</button>'
When I render this to html, account.id is just converted to a string. And not the 'id' that I need. How can I solve this? Because this isn't working either.
output += '<button class="del_account" param-del="#{account.id}">delete</button>'
or this
output += '<button class="del_account" param-del="' +account.id +'">delete</button>'
thanks for your help.
If you need to use both " and ' symbols then here is simple way to deal with them:
output += %[<button class="del_account" param-del="#{account.id}">delete</button>]
This way you can safely place any of mentioned symbols without worrying to escape them.
You could use the Rails helper method content_tag (documentation) which makes things a bit cleaner and more readable.
output += content_tag(:button, "delete", :class => "del_account", :'param-del' => account.id)
Also, technically 'param-del' makes your HTML invalid - your custom attributes should begin with 'data-', so updating above would become:
output += content_tag(:button, "delete", :class => "del_account", :'data-account-id' => account.id)

[] method of Ruby String

When I reading source code of Beast, I found a lot of code like this:
<%= 'Password'[:password_title] %>
It seems like a call to [] method with Symbol as input parameter to a String to me, but I didn't find such type of parameter of String [] method in the ruby API. What is this means?
thanks in advance.
It's a method added by the "Gibberish" plug-in Beast uses, for internationalization. Remember, classes in Ruby are open, so you can't always count on the standard API in cases like this!
In beast source, check out the gibberish plugin where String class is being modified to accept symbols in brackets function.
String class by itself does not do anything reasonable by applying str[symbol] method.
str[fixnum] => fixnum or nil
str[fixnum, fixnum] => new_str or nil
str[range] => new_str or nil
str[regexp] => new_str or nil
str[regexp, fixnum] => new_str or nil
str[other_str] => new_str or nil
These are what I found. If the symbol here is equals to String, I still don't understand the meaning of the code. Why not simply use:
<%= 'password' %>
or even:
password

Resources