rails Erb w/ setAttribute "onclick"

11175 · May 31, 2009, 5:57pm

I'm trying to do this in a .js header:

tmp.setAttribute("onclick",'<%= remote_function(:update => "mainbody", :url => { :contoller => :subject, :action => :new }) %>')

I've fiddled with the syntax slightly (eg, ' vs " vs \") but the best I seem to get is an "Illegal XML character" error from firebug, citing the erb tag above, which tag worked fine in the page source itself.

How can *use DOM* to set an "onclick" method to rails/Erb function?

11175 · May 31, 2009, 7:24pm

After googling for a bit I now believe that you simply *cannot* put erb tags in a .js file.

I managed to get around this by rewriting the DOM as html and putting it in a partial, such that the (different) onclick that was supposed to call a js function with erb in it now calls an erb function with a js function in it...

<span onclick="<%= remote_function(:update => "dropinner", :url => { :action=>:rendpart, :part=>"addmenu" }, :success => "new Effect.BlindDown('dropmenu')")%>">

but if anyone knows how to do what I have in the OP, please lemme know for future reference.

Also, is there a way to call "render" from within remote_function(:url => {}) so I can skip the controller function that calls render?

def rendpart render :partial => params[:part] end

Frederick_Cheung · May 31, 2009, 9:30pm

After googling for a bit I now believe that you simply *cannot* put erb tags in a .js file.

Normal js files are just served as-is (and if you have set things up right never even touch rails at all (ie they are server directly by nginx or apache)).

if you have an action that renders a .js.erb template you'll get what you want.

I managed to get around this by rewriting the DOM as html and putting it in a partial, such that the (different) onclick that was supposed to call a js function with erb in it now calls an erb function with a js function in it...

<span onclick="<%= remote_function(:update => "dropinner", :url => { :action=>:rendpart, :part=>"addmenu" }, :success => "new Effect.BlindDown('dropmenu')")%>">

but if anyone knows how to do what I have in the OP, please lemme know for future reference.

Also, is there a way to call "render" from within remote_function(:url => {}) so I can skip the controller function that calls render?

Nope. remote_function just generates a blob of javascript that calls an appropriate controller action

   def rendpart
              render :partial =&gt; params\[:part\]
   end

I have a sneaking suspicion that would allow an attacker to read any file on your hard disk (by passing the absolute path to the file as params[:part])

Fred

Frederick_Cheung · May 31, 2009, 10:35pm

I even grepped through the API for "\.js\.erb" and it's not in there even once...perhaps the suffix recently changed? Anyway, any pointers to reading material here would be much appreciated.

template extensions have two parts: the js (or html, or something else) tells rails what you are producing. the second part tells rails what should be use to render it: erb, haml, markaby, builder etc... js.erb just means 'this is javascript and you should run it through erb first). Other than that there's not a whole lot to explain.

I am just working at home while learning anyway. I was surprised when I noticed I get unrestricted access to the filesystem by default; I presume WEBrick was not intended for security. I would assume that if/when I put something up on a real server, they will not be permitting that possibility if it can be prevented? Otherwise I'm surprised anyone hosts Rails at all...but further thoughts from anyone would be welcome.

that's up to you really. Run your app code as a user that doesn't have access to more than it needs to.

Fred

11175 · May 31, 2009, 11:07pm

Mk 27 wrote:

I'm trying to do this in a .js header:

tmp.setAttribute("onclick",'<%= remote_function(:update => "mainbody", :url => { :contoller => :subject, :action => :new }) %>')

[...]

How can *use DOM* to set an "onclick" method to rails/Erb function?

There's a pattern I use quite often when I have to pass a value from a Rails calculation to JS. Put the value in a hidden element, then have the JS look at the value of that element. In your case:

### CSS file .hidden {display: none;}

### ERb view file <div id='remote'> <%= remote_function(:update => "mainbody",

:url => { :contoller => :subject, :action => :new }) %>

</div>

### JS file tmp.setAttribute('onclick', $('remote').innerHTML());

Does that help?

Best,

11175 · May 31, 2009, 11:09pm

Marnen Laibow-Koser wrote:

<div id='remote'>

I forgot the class="hidden", but the rest of the example is sound.

Best, Marnen

11175 · May 31, 2009, 11:40pm

Marnen Laibow-Koser wrote:

Does that help?

Yeah, I see what you're doing. Thanks Marnen.