Hiding contents of a js array in the view

Hi

The problem is that the whole array is included in the html
and users can see it if they look at the html source. I want to hide
this information from the user for 2 reasons:
1) it makes the html source huge

One way would be to simply define jsarray as a global variable in the
head of your HTML file on first page load. Then populate it with a
second ajax call after the page loads. I don't know how the
Autocompleter handles that variable (I've never used Autocompleter.Local
before), it looks as though updating jsarray after the page loads (with
the Autocompleter already initialized) won't do much. If this is the
case, you could try setting the Autocompleter with the same rjs you're
using to set jsarray.

Sadly, this approach will mean that you will have to spend two requests
per page load (the first being the actual page load, and the second an
ajax call to populate the array) If this is an in-house project or will
otherwise be receiving relatively little traffic this shouldn't be much
of a problem. Also, this ajax call will take as long as typing something
in a regular Autocompleter would have taken to respond (if I'm correct)
so its not exactly blasphemous...

This could be done with something like the following

#view
<%=javascript_tag("var jsarray = new Array();")%>
<%=javascript_tag(remote_function(:url => {...}))%>

#controller
def foo
    some_array = #populate some_array

    render(:update) do |page|
       page.assign('jsarray', some_array.inspect)
       #cool use of inspect btw,
       #rails has 'array_or_string_for_javascript',
       #but inspect is pretty cool

        page << "new Autocompleter.Local(..., ..., jsarray , {...} ); "
#the line from your view
    end
end

2) more important I want to only let users access it through the
autocomplete functionality. I don't want them to see all the options.

If this is your greatest issue, you could try looking at encoding the
array so humans will have a difficult time seeing the values?

jsarray = ['f^o^o', 'b^a^r']
for (int i=0; i < jsarray.length; i++)
  jsarray[i].replace(/\^/, '');

Of course you should use slightly better encryption :wink:

You could have a hash that maps encoded letters to their real counterparts?

enc_hash = {b: "a",
                       c: "b",
                       ....}

jsarray = new Array();
//these are the 'encrypted' values that the original jsarray would have had
encoded_array = ['bc', 'cb']

for(int word=0; word < encoded_array.length; word++)
{
  endstr = "";
  for(int letter=0; letter < encoded_array[word].length; letter++)
    endstr += enc_hash[encoded_array[word][letter]];
  jsarray.push(enstr)
}

jsarray == ['ab', 'ba'] // true

It's been a while since I did anything with javascript so the above
might not work, but I got carried away and couldn't stop :wink:

A third possibility would be to look at the Unobtrusive Javascript
Plugin (http://ujs4rails.com). I've never used it, but it sounded like
they magically got all your regular JS out of the html file being served
to the client? I might have misunderstood what they do but it should
still be a good source of inspiration? This could let you define the
jsarray exactly as you do now, but have it somewhere (an automatically
generated .js file that gets served alongside the html without you
telling it to? I don't know how they do it) other than the html source
of the page.

I can't think of any other ways at the moment, but maybe someone else in
here has faced a similar problem?

Cheery-o
Gustav Paul

Unobtrusive JavaScript is simply for PrototypeHelper calls, it’s not going to magically move all Javascript out of the HTML. With this plugin, any call to remote_form_for, etc gets an entry in ujs.js (something liek that) which registers the associated DOM elements with AJAX calls, leaving your HTML clean of JS with a bonus of being sure that your site works when javascript is turned off.

As for hiding information from people, you don’t put it in Javascript. It doesn’t matter how hard you try, if you want something hidden, keep it on the server because JavaScript and HTML sources are impossible to “hide”. Seeing as you want autocomplete, you’re going at it entirely wrong. Autocomplete should be AJAX calls back to the server as the contents of the text-field change for the reason you mentioned earlier: the list of possible choices can be HUGE.

Besides, Rails already includes everything you need for autocomplete: http://api.rubyonrails.com/classes/ActionController/Macros/AutoComplete/ClassMethods.html

Jason