Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correct JavaScript guide example #35216

Merged
merged 1 commit into from Feb 11, 2019
Merged

Correct JavaScript guide example #35216

merged 1 commit into from Feb 11, 2019

Conversation

CHTJonas
Copy link
Contributor

Summary

Corrects a small error in the documentation regarding usage of JavaScript in Rails 馃槃

  1. Swaps the #users jQuery selector to correct position.
  2. Prevents ERB from escaping the HTML using the raw helper.

@CHTJonas
Correct JavaScript example in guide [ci skip]
768a081 
Swap `#users` jQuery selector to correct position and prevent the escaping of HTML.
@rails-bot rails-bot bot added the docs label Feb 10, 2019
@eileencodes eileencodes merged commit b46601b into rails:master Feb 11, 2019
@CHTJonas CHTJonas deleted the patch-1 branch February 11, 2019 14:29
@p8
Copy link
Member

p8 commented Feb 11, 2019
edited

This change isn't correct and should probably be reverted.
appendTo Inserts every element in the set of matched elements to the end of the target. https://api.jquery.com/appendTo/
raw shouldn't be used either because of XSS.

@kamipo
Copy link
Member

kamipo commented Feb 11, 2019

Agree, this is correct as is. Reverted fb60def.

kamipo added a commit that referenced this pull request Feb 11, 2019
@kamipo
Revert "Merge pull request #35216 from CHTJonas/patch-1"
fb60def 
This reverts commit b46601b, reversing
changes made to 4e6737f.
@CHTJonas
Copy link
Contributor Author

Sorry my mistake - think I must've been getting confused with jQuery's .append()! 馃槙

Regarding the XSS: I have tested some code that's similar to the example in the docs and it seems to only work when using raw because otherwise Rails tries to escape all the HTML, and trying to append this escaped HTML makes the user's browser very unhappy:

$( "<%= j render 'thing', thing: @thing, thingy: @thingy %>" ).appendTo("tr#thing-<%= @thing.id %>");
Error: Syntax error, unrecognized expression: &lt;tr id=&quot;thing-6649&quot;&gt;
  &lt;td&gt;Blood Music&lt;&#47;td&gt;
[snip]

Am I doing something wrong here? And apologies for mistakes - first PR in an open-source project.

@CHTJonas
Copy link
Contributor Author

Ok so I did some more digging on this... Turns out it's an issue with the escape_utils gem which I'm using. Sorry for wasting your time!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@CHTJonas @p8 @kamipo @eileencodes