Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong HTML escaping for data type html #176

Open
stereodenis opened this issue Jan 16, 2017 · 3 comments
Open

Wrong HTML escaping for data type html #176

stereodenis opened this issue Jan 16, 2017 · 3 comments

Comments

@stereodenis
Copy link

stereodenis commented Jan 16, 2017
edited
Loading

https://github.com/JangoSteve/remotipart/blob/master/lib/remotipart/render_overrides.rb#L18

if remotipart_submitted?
    textarea_body = response.content_type == 'text/html' ? html_escape(response.body) : response.body
    response.body = %{<script type=\"text/javascript\">try{window.parent.document;}catch(err){document.domain=document.domain;}</script> <textarea data-type=\"#{response.content_type}\" data-status=\"#{response.response_code}\" data-statusText=\"#{response.message}\">#{textarea_body}</textarea>}
    response.content_type = ::Rails.version >= '5' ? Mime[:html] : Mime::HTML
end

html_escape(response.body)
=> "&lt;div class=&#39;b-service-zones__item js-zone&#39; data-id=&#39;47&#39;&gt;\n  &lt;div class=&#39;b-service-zones__item__content&#39;&gt;\n    &lt;div class=&#39;b-service-zones__item__title&#39;&gt;Тестовая зона приёма&lt;/div&gt;\n    &lt;div class=&#39;b-service-zones__item__category&#39;&gt;Приёмная зона&lt;/div&gt;\n  &lt;/div&gt;\n  &lt;div class=&#39;b-service-zones__item__actions&#39;&gt;\n    &lt;a class=&quot;b-service-zones__item__action edit js-link-to-side js-edit spec-zone-edit&quot; data-remote=&quot;true&quot; href=&quot;/reception_zones/47/edit&quot;&gt;&lt;/a&gt;\n    &lt;a data-type=&quot;json&quot; class=&quot;b-service-zones__item__action destroy js-destroy&quot; data-remote=&quot;true&quot; rel=&quot;nofollow&quot; data-method=&quot;DELETE&quot; href=&quot;/reception_zones/47&quot;&gt;&lt;/a&gt;\n  &lt;/div&gt;\n&lt;/div&gt;\n"

render_without_remotipart works for me
@leoduquesnel
Copy link

Great thank you

@DemidenkoAndrey
Copy link

DemidenkoAndrey commented Jul 6, 2017
edited
Loading

Hello. Is there any update with this issue?
When I try
textarea_body = html_escape(response.body)
everything is going fine.

@mrj
Copy link

mrj commented Jul 26, 2017

render_without_remotipart works in Firefox, but not Chrome.

A normal remotipart render with the Remotipart code changed to always escape, as described by Andrey, seems to work on both browsers.

mrj added a commit to mrj/remotipart that referenced this issue Jul 26, 2017
@mrj
Always HTML-escape the textarea body JangoSteve#176
cba082b
@mrj mrj mentioned this issue Jul 26, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mrj @stereodenis @DemidenkoAndrey @leoduquesnel