remotipart
remotipart copied to clipboard
JangoSteve
Response needs to be HTML escaped
As I wrote in the issue #122, I have some response errors (no response execution, syntax errors, ...) due to the fact that the response contains a render partial: ..., and remotipart wraps response into a <textarea data-type="text/javascript">...</textarea>, so its content should be HTML escaped. I resolved turning the create.js.erb view from this:
<%- rendering = j render(partial: 'form_errors') %>
$('#form_errors').replaceWith('<%= rendering %>');
into this:
<%# .to_str turns an ActiveSupport::SafeBuffer instance into a String,
which gets HTML escaped %>
<%- rendering = j render(partial: 'form_errors').to_str %>
$('#form_errors').replaceWith('<%= rendering %>');
I don't know whether this behaviour is expected or not, but I think it should at least documented in the Readme, since it leads to unexepcted errors.
Thank you for raising this, spent a good few hours trying to work out this one. Particularly frustrating since remotipart also swallows ajax requests in the console. Agree that it should be documented.
Thanks for sharing the solution @mdesantis , I was having the same issue here.
There seems to be a difference from version 1.0 to 1.2 where the old code set the text like so:
responses = { text: type ? textarea.value : root ? root.innerHTML : null }
Whereas the new code does it like this:
content = {
html: root.innerHTML,
text: type ?
textarea.value :
root ? (root.textContent || root.innerText) : null
};
So it's using root.textContent or root.innerText. I suspect root.textContent escapes any ' codes with single quotes. So then the javascript will be broken as it will have single quotes that are unescaped.
Thanks @mdesantis, This works if I have remotipart data, but currently, we have a scenario where we use the same form for different cases. If remotipart is not being used in that, then this fails because the response is HTML escaped.
