A lot of the proposed issues aren't really too bad IMO, they're mainly just related to one developer's preferences and taste over another. I personally don't think returning JS from an ajax call is much (if any) worse than returning HTML. It's all just your server rendering some markup/code for the browser to interpret.
However, from the UJS side, the main issue with using JS as the response, is that the user has no control over the exact context of the automatic eval being done by jQuery, or exactly when during the callback sequence the code is eval'd. This actually caused code to break at one point due to a jQuery update, which would cause issues if your returned JS replaced the element that triggered the UJS remote (ajax) call. See: https://github.com/rails/jquery-ujs/issues/223#issuecomment-2791098 That being said, I'm not necessarily in the "we should deprecate this" camp. I'm somewhat indifferent. Deprecation means one less thing to maintain (and would allow me to delete all of one line in UJS). -- Steve Schwartz On Thursday, November 28, 2013 at 4:45 PM, Alex wrote: > I believe the primary use case for js responder is remote forms, where you > are not doing the request yourself, so a js response is the simplest and most > natural approach there. This is not inherently insecure so should not be > deprecated just because it does not feel good to some. > > On Thursday, November 28, 2013 3:49:40 PM UTC-5, Aaron Patterson wrote: > > On Thu, Nov 28, 2013 at 12:41:37AM -0800, Egor Homakov wrote: > > > https://github.com/rails/rails/issues/12374#issuecomment-29446761 > > > > > > Here in discussion I proposed to deprecate JS responder because this > > > technique is insecure and not pragmatic way to transfer data. > > > It can be exploited in this > > > way > > > http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html > > > > > > i find this bug very often so i know what i'm talking about. With it > > > attacker can steal user data and authenticity_token if templates with > > > form > > > were leaked too. > > > > Removing it seems fine to me, but I suppose we should deprecate it > > first. Don't people need to specifically say "render js: whatever"? > > > > I think 100% of "render js:" cases can be implemented using JSON. But > > maybe I am wrong. > > > > -- > > Aaron Patterson > > http://tenderlovemaking.com/ > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to rubyonrails-core+unsubscr...@googlegroups.com > (mailto:rubyonrails-core+unsubscr...@googlegroups.com). > To post to this group, send email to rubyonrails-core@googlegroups.com > (mailto:rubyonrails-core@googlegroups.com). > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
