While writing some HAML for a Rails application, I tried to use the :javascript filter to embed some inline javascript into the document. Whenever I try to load the page, Rails complains with Invalid filter name ":javascript". The code I am trying to include is the following:
:javascript
$(document).ready(function() {
$('#variants').editableTableWidget();
});
Why is rails complaining?
You seem to have somehow got an extra character in your code, a “soft hyphen” (U+00AD), between the s and c of “javascript”. It doesn’t show up in the HTML, but copying your code and pasting into the terminal to run it reveals the extra character, and the error message appears as
Invalid filter name ":javas-cript".
(here I’ve replaced the soft hyphen with a normal one so that it shows up in the HTML)
It might not show up in your editor, but if you advance your cursor over the word one character at a time you may notice you need an extra key press between the s and c.
To fix it, just delete this extra character. If you can’t find it or are unsure, delete the whole javascript and retype it.
Related
I asked another question on how to fix a HTML sting with missing tags, and the answer I got was to use DOMParser, or innerHTML. Both of these worked like a charm, but that got me thinking, how can I do this without the help of a browser? For example, if I want to manipulate this string in Node?
The example string I mentioned is as follows:
"This <small>is <i>ONE</small> Messed up string</i>."
Which I want to fix so it looks like:
"This <small>is <i>ONE</i></small><i> Messed up string</i>."
My thinking was to use a combo of substring and join, and append a missing closing tag, or prepend a missing opening tag, but it seems an amateur move.
The most robust way to do this from scratch (e.g. without the help of the browser) would be to write a parser that understands your "broken" syntax and outputs the "correct" syntax as it parses it. You would have to decide when to add the missing tags. This would work out to several pages of code, but idea would be the following:
First write a tokenizer that can read your string in "tokens". You would want to read pieces of text and categorize them as either start tag, content, or close tag. This is easiest done by iterating through each character of the string in a state machine that keeps track of the context, understands the escape sequences, and emits a list of tokens.
Next write another state machine that reads those tokens.
Every time you encounter a Start Tag token, you would append the token's raw value to the result string, and push the currently open Start Tag (if any) onto a stack
When you reached a content tag, you would simply write the raw token value
When you reached a End Tag, you would check if matched the current Start Tag. If not, you would write a fake "Start Tag" to the result string to match the End Tag, followed by the End Tag's raw value. If it does match the current Start Tag, then you would write the End Tag, and pop the most recent Start Tag from the aforementioned stack. If the stack was empty, you would assume you were not in a tag anymore.
When done with all the tokens, if the stack was not empty, foreach Start Tag on the stack, write fake closing tags to the result.
SO kept preventing me from posting the title I wanted so finally got a title that let me post though it kind of sucks so feel free to edit/change it.
I have fields a user can fill in and in the javascript we have
'${chart.title}'
and stuff like that. Is it sufficient to just strip out the single quote character such that they cannot escape it back to javascript? or are there other ways to close out the string that started with the single quote character.
${chart.title} inserts the title a user typed in on a previous page so naturally they could type something like "Title'+callMethod()+'RestOfTitle" injecting a callMethod into my javascript.
thanks,
Dean
The best way would be to restrict the input to alphanumerical and space characters.
If you want to allow anything inside the title, you can use a escaping function.
http://xkr.us/articles/javascript/encode-compare/
Just stripping the string of single quote characters is definitely not enough. Think of new lines for one reason.
There are couple of options.
First go very restrictive way and do both so called white-list validation for input field for you title and always encode the text that you output to the page. That will filtered out all unwanted (and potentially dangerous) characters and make sure that if some of them pass filter (or somebody update the text to contains some js code after the filters were applied) the encoding procedure make all malicious js scripts not runable (it turns it into plain text).
Second you do let your users input what ever they want (which is highly unrecommended way but sometime developers asked to do it) but always encode the text that you output to the page.
You can implement white-list validation by yourself using regular expression or you can use one of the libraries.
Consider the following Javascript:
var previewImg = 'http://example.com/preview_img/hey.jpg';
var fullImg = previewImg.replace('preview','full');
I would expect the value of fullImg to be:
http://example.com/full_img/hey.jpg
In fact, it is... sort of. Running alert(fullImg); shows the expected url string. But when I deliver that variable to jQuery Fancybox, like this:
jQuery.fancybox.open(fullImg);
Something adds characters into the string, like this:
http://example.com/%EF%BF%BCfull_img/hey.jpg
Where is this %EF%BF%BC coming from? What is it? And most importantly, how do I get rid of it?
Some other clues: This is a Drupal 7 site, running jQuery 1.5.1. I'm using that same Fancybox script elsewhere on the site with no issues.
%EF%BF%BC is a sequence of three URL-encoded characters.
You clearly can't see any unexpected characters in the string. That's because the character sequence %EF%BF%BC is invisible.
It's actually a UTF-8 byte-order mark sequence. This sequence typically comes at the start of a UTF-8 encoded text file. They probably got into your code when you did a copy+paste from another file.
The quickest way to get rid of them is to find the bit of code that was copied+pasted, delete the characters on either side of the problem, and retype them. Depending on your editor, you may find the delete behaves strangely as it deletes the hidden characters.
Some text editors and IDEs will have an option to show hidden characters. If your editor has this, it may help you see where the mystery characters are so you can delete them.
Hope that helps.
I am experimenting TinyMCE editor to set its content on click of an hyperlink. For this I used their own demo page and tried adding a link their. But clicking on link did not set the content of the editor. So I went on debugging it in IE9. I tried putting breakpoint on the line, but surprised - I was able to toggle breakpoint everywhere, except that line.
snapshot here: http://s15.postimage.org/a7ntjabfv/Tiny_MCE_Debug.png
Why is this happening?
Actually, now that you mentioned it...I figured what happened.
The line where you're trying to set the breakpoint looks like invalid html, so IE behaves correctly.
In your example, html attributes (like the onclick you have) are delimited by double quotes ("). But you also have another string delimited by " inside the attributes, which leads to a syntax error. To get around this, you must delimit your strings by single quotes: ' . So the solution that you found is correct.
I'm currently working on a CKEditor plugin which would add internal links to our CMS. One of the thing their current link plugin does is that it'll parse through a link when it loads the link dialog to figure out what "type" it is.
Since I created the internal type I need to add a regular expression to compare it to and I'm having trouble doing so. I managed to match my expression using this tool but once I use the same expression in the RegExp object definition it doesn't seem to work.
My links look like this:
/en/my_folder_5
or
/fr/my_folder_5
I tried the following (which worked in that tool):
/(en|fr)/[A-Za-z_^/]+_[0-9]+
but all the slashes get escaped when I "alert" the expression (which leads me to believe it might be what's breaking it since I copy pasted the alerted expression and it did not work)
Any help is appreciated :)
var regex = /\/(en|fr)\/[A-Za-z_^\/]+_[0-9]+/;
alert(regex.test('/fr/my_folder_5')); // prints true