In my Ruby on Rails app this controller responds with Javscript render. For certain 'labels' I need to replace spaces with a newline character \n. There are two ways to do this:
1) Replace the white spaces in db itself and just fetch and serve it in the front end.
This makes "North America" to "North\nAmerica"
2) Replace it in the application code
label = label.gsub(" ","\n")
The second one breaks the javascript code. I looked at the request using firebug and the second one breaks the word, the newline character is actually interpreted as compared to the first implementation where it appears as plain text.
Context:
The action renders a .js file as it's response to an ajax call. The js file calls Morris.js functions to implement analytics. See this question here too: svg-text-disappears-on-larger-label
It seems that you are having problem with javascript escaping in your code.
If you are using remote request than you may use escape_javascript and in case you are using the script in html then you must escape it the way we normally do it using '\'
Related
I am in the process of creating a forum. I am doing this without tutorials to test my php, mysql, javascript knowledge and it's going well however I've encountered 1 problem:
I am using encodeURIComponent() to sanitise the posted forum text before sending it via ajax to my PHP and finally through to MySQL. I've noticed that this changes any new lines into the literal carriage return symbol (down and left arrow).
When this forum text is then returned from the database through an ajax request I can see this symbol in my console window but the javascript simply ignores it.
How can I make it recognise this symbol?
Image of the console window
Image of the output HTML
HTML is always ignoring carriage returns, because you are meant to use <p></p> and <br/> for that.
The easiest way to fix your issue is to just replace all carriage returns with line breaks again. You can use str_replace with PHP or str.replace with JavaScript.
I don't have to HTML encode the string. I was trying various solutions, but the problem is still, how do you handle the semicolon entered by the user if you need to do a JS str.indexOf(";"); later on.
I’m using System.Net.WebUtility.HtmlEncode(test); encode my string,which adds semicolons (as you would expect for html encoding).
Later down the process this string gets utilized to create JavaScript commands that end with ';'. These commands are separated by doing a str.indexOf(";");
My issue is that the user is allowed to enter semi-colon in the field,which breaks the aforementioned indexof(";"), which I use to dynamically create the JavaScript commands.
How can I support users entering in semicolons into a string if I need to do a JS indexof(";") to separate the JS commands?
I tried in the C# side doing a
string myString = System.Net.WebUtility.HtmlEncode(test);
but that just makes the situation worse by adding even more semicolons as you would expect for HTML enconding.
The solution I came up with was to do a replace on the the C# side. In C# I do a .Replace of all % and (other problematic characters) with their URL encoded string versions before the JavaScript command ending ";" gets inserted(i.e. myString.Replace(";","%3B").Replace("=","%3D");).
Once it hits the JavaScript side I do the complete opposite, thus leaving my JS semicolons intact.
The aforementioned solution allowed me to distinguish between a user inserted semicolon and one entered in programmatically.
In my rails app, I'm adding text dynamically to the page using something like this
$('.container').append('<div class="test"><%=description%></div>')
The issue is that sometimes the ruby variable "description" contains single quotes (for example, it might container the word "I'm"), which leads to errors when the page tries to render the text.
What's the best way to avoid this problem by escaping quotes in description?
Checkout Rails' JavaScript Helper, in particular escape_javascript(javascript)
Escapes carriage returns and single and double quotes for JavaScript
segments.
Also available through the alias j(). This is particularly helpful in
JavaScript responses, like:
$('some_element').replaceWith('<%=j render 'some/element_template'
%>');
I have JS calling remote server through AJAX. The response contains something similar to this
<script>alert(document.getElementById('some_generated_id').innerHTML; ... </script>
User copies the response and uses for own purposes. Now I need to make sure that not a single browser runs the code when I do this:
var response = '<scrip.....';
document.getElementById('output_box').innerHTML = response;
Same should apply to any HTML tags. I know that .text() from jQuery will do exactly what I need:
var response = '<scrip.....';
$('#output_box').text(response);
I am looking for any solutions, including, but not limited to: escaping special characters, however displaying them correctly; adding zero-width space to tags (has to be efficient); outputting in parts. Has to be pure JS.
If you're using a server-side language there is probably a method to escape special characters.
In PHP you could use htmlspecialchars(), it will convert certain characters that have significance in HTML to HTML entities (i.e. & to &).
They will still display correctly and you'll be able to copy and paste the text, but the javascript shouldn't run.
If you need a pure javascript solution for this, someone has answered that here https://stackoverflow.com/a/4835406/15000
I'm trying to have Python run some Javascript, and I am running into a few issues. Namely that when I am trying to inject some text into a textarea of a page, it doesn't seem to work if and only if there is a newline (\n) as part of the variable inserted for the Javascript.
Here's my line:
br.runjs("document.getElementById('edit-body').value = '%s'" % (brag))
if the variable "brag" has any sort of newline in it at all, the insertion does not work. Any idea how to go around this?
Encode brag as JSON and then use that.