I''m trying to do this in a .js header: tmp.setAttribute("onclick",''<%= remote_function(:update => "mainbody", :url => { :contoller => :subject, :action => :new }) %>'') I''ve fiddled with the syntax slightly (eg, '' vs " vs \") but the best I seem to get is an "Illegal XML character" error from firebug, citing the erb tag above, which tag worked fine in the page source itself. How can *use DOM* to set an "onclick" method to rails/Erb function? -- Posted via http://www.ruby-forum.com/.
After googling for a bit I now believe that you simply *cannot* put erb tags in a .js file. I managed to get around this by rewriting the DOM as html and putting it in a partial, such that the (different) onclick that was supposed to call a js function with erb in it now calls an erb function with a js function in it... <span onclick="<%= remote_function(:update => "dropinner", :url => { :action=>:rendpart, :part=>"addmenu" }, :success => "new Effect.BlindDown(''dropmenu'')")%>"> but if anyone knows how to do what I have in the OP, please lemme know for future reference. Also, is there a way to call "render" from within remote_function(:url => {}) so I can skip the controller function that calls render? def rendpart render :partial => params[:part] end -- Posted via http://www.ruby-forum.com/.
On May 31, 8:24 pm, Mk 27 <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> After googling for a bit I now believe that you simply *cannot* put erb > tags in a .js file. >Normal js files are just served as-is (and if you have set things up right never even touch rails at all (ie they are server directly by nginx or apache)). if you have an action that renders a .js.erb template you''ll get what you want.> I managed to get around this by rewriting the DOM as html and putting it > in a partial, such that the (different) onclick that was supposed to > call a js function with erb in it now calls an erb function with a js > function in it... > > <span onclick="<%= remote_function(:update => "dropinner", > :url => { :action=>:rendpart, :part=>"addmenu" }, > :success => "new Effect.BlindDown(''dropmenu'')")%>"> > > but if anyone knows how to do what I have in the OP, please lemme know > for future reference. > > Also, is there a way to call "render" from within remote_function(:url > => {}) so I can skip the controller function that calls render?Nope. remote_function just generates a blob of javascript that calls an appropriate controller action> > def rendpart > render :partial => params[:part] > endI have a sneaking suspicion that would allow an attacker to read any file on your hard disk (by passing the absolute path to the file as params[:part]) Fred> -- > Posted viahttp://www.ruby-forum.com/.
Thanks Fred. Two more questions: Frederick Cheung wrote:> Normal js files are just served as-is (and if you have set things up > right never even touch rails at all (ie they are server directly by > nginx or apache)). > > if you have an action that renders a .js.erb template you''ll get what > you want.Yes, I ran across some references to ".js.erb" files; unfortunately I have not found much of an explanation of them. I have a couple of books from the library ("The Art of Rails", IMO at best mediocre, and "Ajax on Rails" which seems great). I even grepped through the API for "\.js\.erb" and it''s not in there even once...perhaps the suffix recently changed? Anyway, any pointers to reading material here would be much appreciated.> I have a sneaking suspicion that would allow an attacker to read any > file on your hard disk (by passing the absolute path to the file as > params[:part])I just tried that; it might work if the filename has a _ for a prefix, but I doubt that since the server error also refers to the "views path app/views". I am just working at home while learning anyway. I was surprised when I noticed I get unrestricted access to the filesystem by default; I presume WEBrick was not intended for security. I would assume that if/when I put something up on a real server, they will not be permitting that possibility if it can be prevented? Otherwise I''m surprised anyone hosts Rails at all...but further thoughts from anyone would be welcome. -- Posted via http://www.ruby-forum.com/.
On May 31, 11:19 pm, Mk 27 <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> I even grepped through the API for "\.js\.erb" and it''s not in there > even once...perhaps the suffix recently changed? Anyway, any pointers > to reading material here would be much appreciated. >template extensions have two parts: the js (or html, or something else) tells rails what you are producing. the second part tells rails what should be use to render it: erb, haml, markaby, builder etc... js.erb just means ''this is javascript and you should run it through erb first). Other than that there''s not a whole lot to explain.> > I am just working at home while learning anyway. I was surprised when I > noticed I get unrestricted access to the filesystem by default; I > presume WEBrick was not intended for security. I would assume that > if/when I put something up on a real server, they will not be permitting > that possibility if it can be prevented? Otherwise I''m surprised anyone > hosts Rails at all...but further thoughts from anyone would be welcome.that''s up to you really. Run your app code as a user that doesn''t have access to more than it needs to. Fred> -- > Posted viahttp://www.ruby-forum.com/.
Mk 27 wrote:> I''m trying to do this in a .js header: > > tmp.setAttribute("onclick",''<%= remote_function(:update => "mainbody", > :url => { :contoller => :subject, :action => :new }) %>'')[...]> > How can *use DOM* to set an "onclick" method to rails/Erb function?There''s a pattern I use quite often when I have to pass a value from a Rails calculation to JS. Put the value in a hidden element, then have the JS look at the value of that element. In your case: ### CSS file .hidden {display: none;} ### ERb view file <div id=''remote''> <%= remote_function(:update => "mainbody",> :url => { :contoller => :subject, :action => :new }) %></div> ### JS file tmp.setAttribute(''onclick'', $(''remote'').innerHTML()); Does that help? Best, -- Marnen Laibow-Koser http://www.marnen.org marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org -- Posted via http://www.ruby-forum.com/.
Marnen Laibow-Koser wrote:> <div id=''remote''>I forgot the class="hidden", but the rest of the example is sound. Best, Marnen -- Posted via http://www.ruby-forum.com/.