Problems passing special chars with observe_field - ruby-on-rails

I am working on a rails project. Using the tag observe_field, I am taking text typed into a text area, processing it in a control, and displaying the result in a div (very similar to the preview in stack overflow). Everything works fine until I type certain special chars.
? => causes the variable not to be found in the params object
(pound) => causes an invalid authenticity error
% => stops the div from being updated
& => every thing after the & is no longer passed into the variable on the server.
Is there a way to solve this?
--- code sample ---
this is the view. ( 'postbody' is a text area)
<%= observe_field 'postbody',
:update => 'preview',
:url => {:controller => 'blog', :action => 'textile_to_html'},
:frequency => 0.5,
:with => 'postbody' -%>
this is the controller that is called
def textile_to_html
text = params['postbody']
if text == nil then
#textile_to_html = '<br/>never set'
else
r = RedCloth.new text
#textile_to_html = r.to_html
end
render :layout => false
end
and this is the javascript that is created:
new Form.Element.Observer('postbody', 0.5, function(element, value) {new Ajax.Updater('preview', '/blog/textile_to_html', {asynchronous:true, evalScripts:true, parameters:'postbody=' + value + '&authenticity_token=' + encodeURIComponent('22f7ee12eac9efd418caa0fe76ae9e862025ef97')})})

This is an escaping issue (as stated by others).
You'll want to change your observe_field :with statement to something like:
:with => "'postbody=' + encodeURIComponent(value)"
Then in your controller:
def textile_to_html
text = URI.unescape(params['postbody'])
...

Can you provide a code sample?
More likely than not you'll just need to escape your HTML entities using encodeuri or something like that.

What does the generated Javascript look like?
Sounds (at first glance) like it's not being escaped.

Related

Rails - escape html in helper?

I currently have a simple method in my application_helper.rb file, which is designed to add a link that will add some a new field to a form when clicked. It looks like:
def link_to_add_fields(type, object_form_builder)
link_to type, "#", "data-partial" => h(render(:partial => type + '/form',
:locals => {type.singularize.to_sym => object_form_builder,
:form_actions_visible => false})),
:class => 'add_fields'
end
I'm having a problem with this code, namely that the partial that should be getting added to the data-partial html attribute is being escaped (presumably by quotes somewhere in the rendered html). I was of the understanding that h() should prevent this, but it doesn't seem to be doing so. Can anyone suggest how to escape this?
EDIT: I tried using the html_safe method as described below, but to no avail. I have managed to get it to escape by doing:
"data-partial" => "'" + render(:partial => type + '/form', :locals => {type.singularize.to_sym => object_form_builder, :form_actions_visible => false}) + "'"
but i'm not sure how safe this is?
EDIT 2: escaping using single quotes is no good - although it escapes the html, it outputs the quotes when the partial is rendered, which is not desirable. Still looking for any ideas on how to escape the html successfully when rendering the partial.
Try an .html_safe method
def link_to_add_fields(type, object_form_builder)
link_to type, "#", "data-partial" => h(render(:partial => type + '/form',
:locals => {type.singularize.to_sym => object_form_builder,
:form_actions_visible => false})).html_safe,
:class => 'add_fields'
end

Rails / Ruby - HTML attribute problem -

I have a tooltip that use this html attribute "original-title".
I have tryed this:
content_tag(:span, '', :class => options[:pinfo_class], :original-title => options[:pinfo])
But it gives a error in view.
Then I have used this which works, but not with the tooltip.
content_tag(:span, '', :class => options[:pinfo_class], :original_title => options[:pinfo])
How do I force rails to use the :original-title ?
You can use a string as a hash key, like 'original-title' => options[:pinfo]. Should work.
Also, most strings can be converted to symbols via 'some-string'.to_sym method, or even defined as :'some-string'.

Rails/ajax - whitespace and request.raw_post

I am starting to learn Ajax with rails.
I have a catalog index page with a text_field_tag querying db if it finds similar "section" results.
Index.html.erb
<h1>Catalogs</h1>
<label>Search by Section:</label>
<%=text_field_tag :section %>
<%= observe_field(:section,
:frequency=> 0.1,
:update=> "article_list",
:url=>{ :action => :get_article_list }) %>
<div id="article_list"></div>
Catalogs_controller.rb
def index
end
def get_article_list
#section = request.raw_post.split(/&/).first
#catalogList = "<ol>"
Catalog.find(:all, :conditions => ["section = ?", #section]).each do |catalog|
#catalogList += "<li>" + catalog.title + "</li>"
end
#catalogList += "</ol>"
render :text => #catalogList
end
Question:
request.raw_post renders something like:
xml&authenticity_token=tgtxV3knlPvrJqT9qazs4BIcKYeFy2hGDIrQxVUTvFM%3D
so I use
request.raw_post.split(/&/).first
to get the section query ("xml"). It works, however how can I do if the query have a whitespace. (like "Open Source") In fact, I have Open Source sections in my db, but request.raw_post.split(/&/).first renders Open%20Source. How can I manage this? Did I have to use a full text search engine to achieve it or there is another way?
Thanks a lot for your explanation!
Look over your logs, in them you will see the post and the params being passed. You should not need to do your own query-string splitting. You should be able to use params[:section] to get the post data.
As your comment implies, there's something missing. Your observe_field needs to tell the Rails helper what to do. Check out: http://apidock.com/rails/ActionView/Helpers/PrototypeHelper/observe_field. Anyhow, you'll want to do something like:
observe_field(... # lots of parameters
:with => 'section'
)
And that should give you params[:section].

haml and no javascript? (rails: form_remote_tag and :with parameter)

i am trying to call a remote method to update page content via ajax/js.
either i am too tired already or haml is not parsing the following code correctly to send the value of the query field via prototype. any ideas?
- form_remote_tag(:url => {:controller => "search", :action => "line"},:with => "'query=' + $('query').value" ) do
%input{:type => 'text', :id => 'query'}
%input{:type => 'submit', :value => 'Search'}
thanks a lot!
t
Have you tried a
= form_remote_tag
instead of
- form_remote_tag
I'm new to HAML myself but I was under the impression that you'll need the form tag to be actually generated not just executed...
Try passing the :with as part of the options hash.
- form_remote_tag({ :url => {:controller => "search", :action => "line"}, :with => "'query=' + $('query').value" }) do
If that doesn't work, debug the problem: Look at the generated html. Is the text field with id query the only element in the page with that id? Is the js code correct? Use the Firebug console to ensure $('query').value returns whatever you've entered into the text field.
Still stuck? Add your generated html into your question so we can better help.
EDIT: Your query input tag does not have a name attribute. Without a name, the javascript helper code skips that field when serializing the form fields...also, you do not need the :with code.
%input{:type => 'text', :id => 'query', :name => 'query'}

remote_form_for in rails with the :with option

Is it possible to use the :with option with remote_form_for?
It works with link_to_remote, and the api docs seems to indicate :with should work with any of the remote_ methods.
Here is the code I'm using, and output it's producing:
Link_to_remote (works):
= link_to_remote 'ARGH', {:url => {:action => 'load_item', :id => #policy.id} , :with => "'elephant=mouse'"}
arg
Remote_form_for (doesn't work)
= remote_form_for :policy, #policy, :url => {:action => 'load_item', :id => #policy.id} , :with => "'elephant=mouse'" do |f|
<form action="http://localhost:3000/quote_edit/load_item/5" method="post" onsubmit="new Ajax.Request('http://localhost:3000/quote_edit/load_item/5', {asynchronous:true, evalScripts:true, parameters:Form.serialize(this)}); return false;">
Does anyone know how to make remote_form_for pick up on this option?
Or is it being ignored by remote_form_for as it needs to use parameters:Form.serialize(this) to pick up the values from the current form?
Cheers
Dave Smylie
I had the same problem when I wanted to use javascript to calculate the id of the url.
Researched the source code and determined that remote forms and submits don't seem to allow the :with statement to work.
I got around this using a hidden field called overridden_id on the form. Then in the :before option, I added javascript to set the hidden fields value.
Inside the controller I added "params[:overriden_id] || parmam[:id]" to my Find to override the default id passed into the url.

Resources