Marnen Laibow-Koser wrote:
> SpringFlowers AutumnMoon wrote:
> [...]
>> however, isn't it true that if we ever need to set the title into the
>> div's innerHTML, then we also need to sanitize it?
>>
>> so to_json(h(title)) ?
>
> Actually, that would be h(to_json title). Remember, you put it into
> JSON first, then escape it for HTML so it won't break the DOM.
hm, if i use in the app_controller.rb
class AppController < ApplicationController
def index
@s = "Bill Gates's dog said \"whoof whoof\" and \n ran away."
end
end
and then in index.rhtml, use
<script type="text/javascript">
var s = <%= h(@s.to_json) %>;
var t = <%= h(@s).to_json %>;
</script>
then the code generated is
<script type="text/javascript">
var s = "Bill Gates's dog said \"whoof whoof\" and \n
ran away.";
var t = "Bill Gates's dog said "whoof whoof" and \n ran
away.";
</script>
so the first line gave an error in Firefox. I just wonder how come
something so basic but there is no general discussion in book to talk
about how to do it and some experienced developers i talked to wasn't
sure how to do it either? By the way, so to_json is a method but h is a
function? Is there a way to write something like @s.h.to_json or
@s.to_h.to_json or @s.html_escape.to_json so that it is OO all the way?
thanks.
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
