rendering multiline Javascript by using JSONP in rails - javascript

In a controller I try to render a javascript google ad to print it into some HTML using JSONP, like this
<script type="text/javascript"><!--
google_ad_client = "pub-23222424";
google_alternate_color = "FFFFFF";
google_ad_width = 468;
google_ad_height = 60;
//--></script>
<script type="text/javascript"
src="http://pagead2.google.com/pgad/show_ads.js">
</script>
So I do:
render :text "var s_response = { content: '<script type=\"text/javascript\"><!--\\ngoogle_ad_client = \"pub-23222424\";\\ngoogle_alternate_color = \"FFFFFF\";\\ngoogle_ad_width = 468;\\ngoogle_ad_height = 60;\\n//--><\\/script>\\n<script type=\"text/javascript\"\\n src=\"http://pagead2.google.com/pgad/show_ads.js\">\\n<\\/script>', id: '2'};">
But i get this error:
unterminated string literal
[Break on this error] var response = { content: '<script type="text/javascript"><!--
=> That seems like it is a multilines problem right ? But I don't know how to resolve it.
Thanks,
Lucas


In JavaScript, you cannot spread a string over multiple lines.
In this case, you can leave out those comments so you can put everything in a single line and get rid of the newline characters (\n).
BTW, a valid JSON response would surround every string, whether it represents a key or a value, with double quotes. Also see JSONLint's FAQ:
Proper format for a collection is: {
"key": "value" }
In the end, you get:
render :text "var s_response = { \"content\": \"<script type='text/javascript'>google_ad_client = 'pub-23222424';google_alternate_color = 'FFFFFF';google_ad_width = 468;google_ad_height = 60;<\\/script><script type='text/javascript' src='http://pagead2.google.com/pgad/show_ads.js'><\\/script>\", \"id\": \"2\"};">


Write huge strings like in my example below and stop escaping them:
render :text => %{
<script type="text/javascript">
//<!--
google_ad_client = "pub-23222424";
google_alternate_color = "FFFFFF";
google_ad_width = 468;
google_ad_height = 60;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.google.com/pgad/show_ads.js">
</script> }


Thanks for your responses !
Marcel > The problem is that if I get rid of the newline characters my ad can't display anymore, I tried it "manually". So I may need to replace the "/n" characters before to send the response by something like a unique string and to replace them again after the response is received by the server ?
floatless > Initially I did not escaped my response and it did not work. So I do not think it will change anything, but thanks anyway.

Related

How to store use triple-quoted backtick strings with marked.js

I'm using marked.js to render code that we want to store (ultimately as JSON). However, the I can't get triple-back-ticked convention to render correctly. I'm sure user error on my part but how would I to get the following to work?
<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
<div id="content"></div>
<script>
let str = marked.parse("here is the body of arguments ```\n\nclass User\n def say_my_name\n puts 'my name'\n end\nend```");
document.getElementById('content').innerHTML = str;
</script>
which renders for me like:

What you have is
here is the body of arguments ```
class User
def say_my_name
puts 'my name'
end
end```
But that is not valid. The code fences should always be on a new line:
let str = marked.parse("here is the body of arguments \n```\n\nclass User\n def say_my_name\n puts 'my name'\n end\nend\n```");
document.getElementById('content').innerHTML = str;
<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
<div id="content"></div>

You've got the newlines mixed up around the first trio of backticks:
let str = marked.parse("here is the body of arguments\n ```\nclass User\n def say_my_name\n puts 'my name'\n end\nend```");
document.getElementById('content').innerHTML = str;
<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
<div id="content"></div>
See how it's monospace now?

Why my regex is not working in react but working anywhere else (e.g. regex tester online)? [duplicate]

I am trying to remove all the html tags out of a string in Javascript.
Heres what I have... I can't figure out why its not working....any know what I am doing wrong?
<script type="text/javascript">
var regex = "/<(.|\n)*?>/";
var body = "<p>test</p>";
var result = body.replace(regex, "");
alert(result);
</script>
Thanks a lot!

Try this, noting that the grammar of HTML is too complex for regular expressions to be correct 100% of the time:
var regex = /(<([^>]+)>)/ig
, body = "<p>test</p>"
, result = body.replace(regex, "");
console.log(result);
If you're willing to use a library such as jQuery, you could simply do this:
console.log($('<p>test</p>').text());

This is an old question, but I stumbled across it and thought I'd share the method I used:
var body = '<div id="anid">some text</div> and some more text';
var temp = document.createElement("div");
temp.innerHTML = body;
var sanitized = temp.textContent || temp.innerText;
sanitized will now contain: "some text and some more text"
Simple, no jQuery needed, and it shouldn't let you down even in more complex cases.
Warning
This can't safely deal with user content, because it's vulnerable to script injections. For example, running this:
var body = '<img src=fake onerror=alert("dangerous")> Hello';
var temp = document.createElement("div");
temp.innerHTML = body;
var sanitized = temp.textContent || temp.innerText;
Leads to an alert being emitted.

This worked for me.
var regex = /( |<([^>]+)>)/ig
, body = tt
, result = body.replace(regex, "");
alert(result);

This is a solution for HTML tag and &nbsp etc and you can remove and add conditions
to get the text without HTML and you can replace it by any.
convertHtmlToText(passHtmlBlock)
{
str = str.toString();
return str.replace(/<[^>]*(>|$)| |‌|»|«|>/g, 'ReplaceIfYouWantOtherWiseKeepItEmpty');
}

Here is how TextAngular (WYSISYG Editor) is doing it. I also found this to be the most consistent answer, which is NO REGEX.
#license textAngular
Author : Austin Anderson
License : 2013 MIT
Version 1.5.16
// turn html into pure text that shows visiblity
function stripHtmlToText(html)
{
var tmp = document.createElement("DIV");
tmp.innerHTML = html;
var res = tmp.textContent || tmp.innerText || '';
res.replace('\u200B', ''); // zero width space
res = res.trim();
return res;
}

you can use a powerful library for management String which is undrescore.string.js
_('a link').stripTags()
=> 'a link'
_('a link<script>alert("hello world!")</script>').stripTags()
=> 'a linkalert("hello world!")'
Don't forget to import this lib as following :
<script src="underscore.js" type="text/javascript"></script>
<script src="underscore.string.js" type="text/javascript"></script>
<script type="text/javascript"> _.mixin(_.str.exports())</script>

my simple JavaScript library called FuncJS has a function called "strip_tags()" which does the task for you — without requiring you to enter any regular expressions.
For example, say that you want to remove tags from a sentence - with this function, you can do it simply like this:
strip_tags("This string <em>contains</em> <strong>a lot</strong> of tags!");
This will produce "This string contains a lot of tags!".
For a better understanding, please do read the documentation at
GitHub FuncJS.
Additionally, if you'd like, please provide some feedback through the form. It would be very helpful to me!

For a proper HTML sanitizer in JS, see http://code.google.com/p/google-caja/wiki/JsHtmlSanitizer

<html>
<head>
<script type="text/javascript">
function striptag(){
var html = /(<([^>]+)>)/gi;
for (i=0; i < arguments.length; i++)
arguments[i].value=arguments[i].value.replace(html, "")
}
</script>
</head>
<body>
<form name="myform">
<textarea class="comment" title="comment" name=comment rows=4 cols=40></textarea><br>
<input type="button" value="Remove HTML Tags" onClick="striptag(this.form.comment)">
</form>
</body>
</html>

The selected answer doesn't always ensure that HTML is stripped, as it's still possible to construct an invalid HTML string through it by crafting a string like the following.
"<<h1>h1>foo<<//</h1>h1/>"
This input will ensure that the stripping assembles a set of tags for you and will result in:
"<h1>foo</h1>"
additionally jquery's text function will strip text not surrounded by tags.
Here's a function that uses jQuery but should be more robust against both of these cases:
var stripHTML = function(s) {
var lastString;
do {
s = $('<div>').html(lastString = s).text();
} while(lastString !== s)
return s;
};

The way I do it is practically a one-liner.
The function creates a Range object and then creates a DocumentFragment in the Range with the string as the child content.
Then it grabs the text of the fragment, removes any "invisible"/zero-width characters, and trims it of any leading/trailing white space.
I realize this question is old, I just thought my solution was unique and wanted to share. :)
function getTextFromString(htmlString) {
return document
.createRange()
// Creates a fragment and turns the supplied string into HTML nodes
.createContextualFragment(htmlString)
// Gets the text from the fragment
.textContent
// Removes the Zero-Width Space, Zero-Width Joiner, Zero-Width No-Break Space, Left-To-Right Mark, and Right-To-Left Mark characters
.replace(/[\u200B-\u200D\uFEFF\u200E\u200F]/g, '')
// Trims off any extra space on either end of the string
.trim();
}
var cleanString = getTextFromString('<p>Hello world! I <em>love</em> <strong>JavaScript</strong>!!!</p>');
alert(cleanString);

If you want to do this with a library and are not using JQuery, the best JS library specifically for this purpose is striptags.
It is heavier than a regex (17.9kb), but if you need greater security than a regex can provide/don't care about the extra 17.6kb, then it's the best solution.

Like others have stated, regex will not work. Take a moment to read my article about why you cannot and should not try to parse html with regex, which is what you're doing when you're attempting to strip html from your source string.

Remove all scripts with javascript regex

I am trying to remove all scripts tags with content from the string of the type below with regex in javascript.
But I am still getting as output:
");</script>
when it should be an empty string.
The code is:
var BG = '<script type="text/javascript">document.write("<script type=\"text\/javascript\" src=\"http:\/\/site;js=y;target=_blank;time="+ (window.emediate_time ? window.emediate_time : window.emediate_time = new Date().getTime()) +"1053997930;"><\/script>");</script><script type="text/javascript" src="some?cre=mu;js=y;target=_blank"></script>';
BG = BG.replace(/<\s*script.*?>.*?(<\s*\/script.*?>|$)/ig,'');
Could you please tell me what's wrong and how to fix it. Thanks.

Try this:
(/<.*?script.*?>.*?<\/.*?script.*?>/igm, '')
or
(/<script.*?>.*?<\/script>/igm, '')
(you need 'm' switch to search multi-line)

Replace / Ignore JavaScript in a String

I wrote a small RSS reader with JQuery. At first theres a screen with the titles of the articles, when clicked on a title I load the content of that article. The problem is, it contains some google ads script, which will replace the content of the article and fill the whole screen with an advertisement.
The following script is what I am tying to replace or ignore:
<script type="text/javascript"><!--
google_ad_client = "ca-pub-8356817984200457";
/* ijsselmondenieuws.nl */
google_ad_slot = "9061178822";
google_ad_width = 468;
google_ad_height = 60;
//-->
</script><br />
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
So I wrote a method which is supposed to remove the script by a simple replace:
var replaceScript='<script type="text/javascript"><!--\n' +
'google_ad_client = "ca-pub-8356817984200457";\n' +
'/* ijsselmondenieuws.nl */\n' +
'google_ad_slot = "9061178822";\n' +
'google_ad_width = 468;\n' +
'google_ad_height = 60;\n' +
'//-->\n' +
'</script>\n' +
'<script type="text/javascript"\n' +
'src="http://pagead2.googlesyndication.com/pagead/show_ads.js">\n' +
'</script>';
function removeADS(ads) {
removeAD = ads.replace(replaceScript, " ");
}
But this doesn't work, I think it's not flexible either (if it would work). When something changes in the script, the application will get stuck at the advertisement again. Is there some way to completely ignore this script while fetching the content from an RSS feed or a more flexible replacement script?
Any help is appreciated,
Thanks!

It's not very wise to parse xml/html with regex.
Use a dom parser (jquery is a beautiful one ...hint hint):
var rssContentString = '<rss version='2.0'>...',
xmlDoc = $.parseXml(rssContentString),
$xml = $(xmlDoc),
helper = $('<div />'),
result;
result = helper
.append(
$xml
.find('script')
.remove()
.end()
)
.text();
UPDATE
Based on the new comments, since you get your rss content like this :
content:$.trim($(v).find("content").text())
you can modify this expression to the following :
content:$.trim($(v).find("content").find('script').remove().end().text())

Dynamically injecting Javascript into an iframe with JQuery

I'm trying to find a way of dynamically loading a Google visualisation API table, populated from a dynamic query onto a Google spreadsheet into a Blogger blogpost.
Unfortunately, the blog style sheet seems to trash the style of the table, so I thought I'd try to inject the dynamically loaded table into an iframe and isolate it from the host page:
<script type="text/javascript" src="http://www.google.com/jsapi"></script>
<script type="text/javascript">
google.load("jquery", "1.3.2");
google.setOnLoadCallback(f1dj_iframeloader);
function f1dj_iframeloader(){
$(function() {var $frame = $('iframe');
setTimeout( function() {
var doc = $frame[0].contentWindow.document;
var $body = $('body',doc);
$body.html("<script type='text/javascript' src='http://www.google.com/jsapi'></script><script type='text/javascript'>var f1dj_sskey="tQQIIA7x9VuyVKE7UVdrytg";var f1dj_sheet=8;var f1dj_authkey='CITwr80K';google.load('visualization', '1', {'packages':['table']});function f1dj_getData(){var url='http://spreadsheets.google.com/tq?tq=select%20*&key='+f1dj_sskey+'&authkey='+f1dj_authkey+'&gid='+f1dj_sheet;var query = new google.visualization.Query(url); query.send(f1dj_displayTable);} function f1dj_displayTable(response){if (response.isError()) return;var data = response.getDataTable(); visualization = new google.visualization.Table(document.getElementById('f1dj__table'));visualization.draw(data, null);} google.setOnLoadCallback(f1dj_getData)</script><div id='f1dj__table'></div>");}, 1 );
});
}</script>
This seems to work okay in a simple HTML text page EXCEPT that:
1) in the test page, ");}, 1 );});} is also rendered on the page (so something's obviously not right...)
2) the Blogger HTML editor/parses throws a parse error and blocks the saving of the page (maybe same issue as in 1)
Any ideas how to fix this? Is there maybe something obvious I've missed?:-(

Your quotes don't match up - the double quotes for fldj_sskey=... are closing the string being passed to $body.html.
And then you've got "</script>" unencoded in the strings within your script tag, so the HTML parser thinks the script tag ends there.
You have to be careful with inline js and should really html encode it all...

This line is your problem:
$body.html("<script type='text/javascript' src='http://www.google.com/jsapi'></script><script type='text/javascript'>var f1dj_sskey="tQQIIA7x9VuyVKE7UVdrytg";var f1dj_sheet=8;var f1dj_authkey='CITwr80K';google.load('visualization', '1', {'packages':['table']});function f1dj_getData(){var url='http://spreadsheets.google.com/tq?tq=select%20*&key='+f1dj_sskey+'&authkey='+f1dj_authkey+'&gid='+f1dj_sheet;var query = new google.visualization.Query(url); query.send(f1dj_displayTable);} function f1dj_displayTable(response){if (response.isError()) return;var data = response.getDataTable(); visualization = new google.visualization.Table(document.getElementById('f1dj__table'));visualization.draw(data, null);} google.setOnLoadCallback(f1dj_getData)</script><div id='f1dj__table'></div>");}, 1 );
You are calling .html() with a string contained in double quotes (") but your string contains double quotes when you initialize the f1dj_sskey variable. This means that your string is getting closed early. You need to change the quotes in the string either to single quotes or you need to escape them.
Single quotes (change " to '):
$body.html("<script type='text/javascript' src='http://www.google.com/jsapi'></script><script type='text/javascript'>var f1dj_sskey='tQQIIA7x9VuyVKE7UVdrytg';var f1dj_sheet=8;var f1dj_authkey='CITwr80K';google.load('visualization', '1', {'packages':['table']});function f1dj_getData(){var url='http://spreadsheets.google.com/tq?tq=select%20*&key='+f1dj_sskey+'&authkey='+f1dj_authkey+'&gid='+f1dj_sheet;var query = new google.visualization.Query(url); query.send(f1dj_displayTable);} function f1dj_displayTable(response){if (response.isError()) return;var data = response.getDataTable(); visualization = new google.visualization.Table(document.getElementById('f1dj__table'));visualization.draw(data, null);} google.setOnLoadCallback(f1dj_getData)</script><div id='f1dj__table'></div>");}, 1 );
Escaping (change " to \"):
$body.html("<script type='text/javascript' src='http://www.google.com/jsapi'></script><script type='text/javascript'>var f1dj_sskey=\"tQQIIA7x9VuyVKE7UVdrytg\";var f1dj_sheet=8;var f1dj_authkey='CITwr80K';google.load('visualization', '1', {'packages':['table']});function f1dj_getData(){var url='http://spreadsheets.google.com/tq?tq=select%20*&key='+f1dj_sskey+'&authkey='+f1dj_authkey+'&gid='+f1dj_sheet;var query = new google.visualization.Query(url); query.send(f1dj_displayTable);} function f1dj_displayTable(response){if (response.isError()) return;var data = response.getDataTable(); visualization = new google.visualization.Table(document.getElementById('f1dj__table'));visualization.draw(data, null);} google.setOnLoadCallback(f1dj_getData)</script><div id='f1dj__table'></div>");}, 1 );

Categories