escape_javascript doesn't escape textarea line breaks #6312

Closed
tomtastico opened this Issue May 14, 2012 · 29 comments

Projects

None yet

4 participants

@tomtastico

After updating to Rails 3.2.3, line breaks inside textareas are not escaped by escape_javascript and come out as literal newlines, breaking the JavaScript parser (i.e. "SyntaxError: Unexpected token ILLEGAL" in Chrome).

This works fine in 3.2.2.

See http://stackoverflow.com/questions/10589116/escape-javascript-not-properly-escaping-text-areas/10590176

@rafaelfranca
Member

Are you using Haml? If so upgrade it to 3.1.6.rc.1

@tomtastico

No, I'm using good old ERB.

@rafaelfranca
Member

Ok. I marked this as regression. Thanks.

@KensoDev
Contributor

I could not reproduce this one.

This is what I get when I render a new user form

%("#new_user_form").html('<form accept-charset=\"UTF-8\" action=\"/users\" class=\"new_user\" id=\"new_user\" method=\"post\"><div style=\"margin:0;padding:0;display:inline\"><input name=\"utf8\" type=\"hidden\" value=\"&#x2713;\" /><input name=\"authenticity_token\" type=\"hidden\" value=\"PxK1918te5W6d6dsBSxZNrj0mvbVLykEZCl7YqUt/HI=\" /><\/div>\n\n  <div class=\"field\">\n    <label for=\"user_name\">Name<\/label><br />\n    <input id=\"user_name\" name=\"user[name]\" size=\"30\" type=\"text\" />\n  <\/div>\n  <div class=\"field\">\n    <label for=\"user_bio\">Bio<\/label><br />\n    <textarea cols=\"40\" id=\"user_bio\" name=\"user[bio]\" rows=\"20\">\n<\/textarea>\n  <\/div>\n  <div class=\"actions\">\n    <input name=\"commit\" type=\"submit\" value=\"Create User\" />\n  <\/div>\n<\/form>');

I render the form just like the question on SO

%("#new_user_form").html('<%= escape_javascript render 'form' %>');

I also could not get a spec to fail on that.
Here's the spec, it's passing.

  def test_escape_javascript_with_linebreak_in_textarea
    given = %(<form id="edit_note" action="notes123" data-method="put">
      <textarea name="note[body]">
      This is the note body </textarea>)
    expect = %(<form id=\\"edit_note\\" action=\\"notes123\\" data-method=\\"put\\">\\n      <textarea name=\\"note[body]\\">\\n      This is the note body <\\/textarea>)
    assert_equal expect, escape_javascript(given)
  end

cc/ @raymccoy

@rafaelfranca
Member

@KensoDev thanks to try to solve this issue.

Could you change your test to use the rails form helper?

@KensoDev
Contributor

I'll probably will only get to that tomorrowo

@KensoDev
Contributor

@raymccoy Can you please provide a sample application with the bug isolated?
I am trying to reproduce or have a failing spec but seems like I can't, a sample app will help a great deal.

Thanks

@acapilleri
Contributor

@raymccoy I have tried also to reproduce this but without success, maybe it's something about render + escape_javascript

@KensoDev
Contributor

@rafaelfranca This test is passing as well

  def test_escape_javascript_with_linebreak_in_textarea
    given = text_area("post", "body")
    expect = %(<textarea cols=\\"40\\" id=\\"post_body\\" name=\\"post[body]\\" rows=\\"20\\">\\n<\\/textarea>)
    assert_equal expect, escape_javascript(given)
  end
@KensoDev
Contributor

@acapilleri I actually have a minimal sample app where I combine both of these but it renders a single escaped line as expected.

like I said in this comment: #6312 (comment)

@acapilleri
Contributor

@raymccoy , yes...but maybe @rafaelfranca wants say to test with a form_helper and a partial _form.erb like this :

<%= form_for @post do |f| %>
<%= f.text_area :description %>
<%end%>
@KensoDev
Contributor

Did that as well, still got the same thing, a clean escaped single line.

@acapilleri
Contributor

@raymccoy,@KensoDev sorry if it's trivial, have you test it inside a view .js.erb?

@tomtastico

@acapilleri yes, it is failing for me in a .js.erb view with

$('#review-form, #edit-review-modal .modal-body').html("<%= escape_javascript(render("reviews/form", :garage => @review.garage, :review => @review)) %>");

Will try to get a test app reproducing this later today.

@acapilleri
Contributor

@raymccoy Thanks!

@acapilleri
Contributor

@KensoDev, any news?

@KensoDev
Contributor

@acapilleri I tested this one in every way possible, including a sample app, specs in the rails source on 3-2-stable and more.

I could not reproduce.

I just chimed in here to try and figure out what the issue is, but I could not reproduce this in any ways that I have tried.

@rafaelfranca
Member

@acapilleri are you sure that you don't have Haml installed in your application?

@tomtastico

After trying to reproduce this in a basic test app, I'm positive it comes from a gem. It was working fine with the initial gemfile, but then I added all the gems from my production app to the test app and my simple test failed as described. Will try to narrow down the gem.

The funny thing is that if I downgrade to Rails 3.2.2 then all works fine, with the same set of gems.

@KensoDev
Contributor

@raymccoy maybe you can use pry or just plain old irb debugging and check where the method escape_javascript is pointing to and if there's any method chaining.

@rafaelfranca
Member

Guys, If you have Haml in your project, either if you don't use it to generate your views it will break this helper.

@acapilleri
Contributor

@rafaelfranca I haven't haml, so it is an external gem problem?

@rafaelfranca
Member

We have to verify. But I think so. Post you Gemfile.lock in a gist to we check the dependencies.

@acapilleri
Contributor

Maybe is better that @raymccoy post his Gemfile.lock, all my tests go well

@acapilleri
Contributor

@raymccoy can u post your Gemfile.lock when your test app works fine and when it fails? Thanks

@tomtastico

Found it, it's rails_admin. It requires haml ~> 3.1 which makes 3.1.5 get installed (the current stable at rubygems), which causes this error as @rafaelfranca said.

Not sure if I should make a request for rails_admin to increase the requirement to 3.1.6.rc.1, as in this light this is a transitory issue that will get fixed by itself when 3.1.6 goes stable in rubygems.

@rafaelfranca
Member

@raymccoy as workaround you can define the Haml version in your Gemfile to the 3.1.6.rc.1 before the final release.

# Gemfile
gem 'haml', '3.1.6.rc.1'

I'm closing this issue.

@acapilleri @KensoDev thank you so much to track down this issue. I really appreciate.

@raymccoy if this workaround works, please let us know.

@tomtastico

I confirm forcing the haml version in the gemfile made it work with rails 3.2.3 for me. Thank you for the help and sorry for not testing more thoroughly before posting the bug!

@rafaelfranca
Member

You are welcome.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment