ruby on rails/javascript - errors with escaping html characters

Question

In my RoR application, user selects an option from a popup and the selected value is passed to hidden fields found in my parent form. The problem is when passing values containing html characters (e.g. <a href= ""> ) to the parent form.

In my popup, i have a link as follows which passes a value to the main form:

popup code:

<% @users.each do |user| %>
  <%= link_to_function "PassValue", "sendValue('"+ user.location+ "')" %>
  <% end %>

application.js:

  function sendValue(location){
    window.opener.document.getElementById('submission_user_attributes_location').value = location;
    }

The location value retrieved form the database can contain html chars like '', and this is where my sendValue function is not working.

Please can someone help me on this.

Many many thanks in advance for your help :)

Answer 1

Please do not use obstrusive javascript. Try rewriting this code using non obstrusive javascript and it will prevent you from running into more problems in the future. See this railscast for more info: http://railscasts.com/episodes/205-unobtrusive-javascript

This being said, you could fix your problem by encoding your user.location with URI.encode, or escape quotes manualy or use escape_javascript.

My favorite solution is escape_javascript. From the documentation:

escape_javascript - Escape carrier returns and single and double quotes for JavaScript segments.

# File actionpack/lib/action_view/helpers/javascript_helper.rb, line 50
def escape_javascript(javascript)
  if javascript
    javascript.gsub(/(\\|<\/|\r\n|[\n\r"'])/) { JS_ESCAPE_MAP[$1] }
  else
    ''
  end
end