What's your rating of RailsCasts

Why Escape_Javascript Before Part Rendering?

I'm watching this Railscast episode and wonder why the call is needed here:

What is it used for?

According to the Rails documents:

Escape_Javascript (Javascript)

Escape Carrier returns and single and double quotes for JavaScript segments.

But that doesn't mean much to me.


Because you don't want users to publish JavaScript that the browser is actually running?

It's easier to understand when you break the code into two parts.

The first part is Javascript with erb, which means that the will be replaced by the Ruby code it contains. The result of this replacement must be valid Javascript, otherwise an error will be thrown when the client tries to process it. So that's the first: you need valid Javascript .

Another thing to keep in mind is that anything Ruby produces must be in a javascript string with double quotes - notice the double quotes around that. This means that the generated Javascript looks like this:

Now let's examine the ruby ​​part inside. What does it do? A part is being rendered - which means it can render any kind of code - HTML, CSS ... or even more Javascript!

So what if our part contains simple HTML like this?

Remember that your javascript took a string in double quotes as a parameter? If we just replace that with the code from this part, we have a problem - there is a double quote immediately after! Javascript is invalid:

To prevent this from happening, you want this special character escape so that your string is not truncated. Instead, you need something that will generate this:

What does. It ensures that the returned string does not "break" any Javascript. When you use it, you get the output you want:


Users can post malicious code (malicious users) that, if not hijacked, could run, giving users control of your application.

Try this:

I'm not really familiar with the syntax of rails, but if you don't escape you will see a warning message and I don't think this is behavior by design.

If you look at the source here, it becomes a lot clearer.

This function does the following two things:

  1. It replaces the characters in the input string with those defined in JS_ESCAPE_MAP

    This is to ensure that the Javascript code is correctly serialized without affecting the outer string in which it is embedded. For example, if you have a javascript string enclosed in double quotes, then all quotation marks for string literals must be enclosed in single quotes to avoid corrupting the code.

  2. The function also checks whether the resulting string is HTML-safe. If not, the necessary escape character is performed to ensure that the string becomes HTML safe and returns the result.

When you use Escape_Javascript, it is usually embedded dynamically in another string or existing HTML. You need to make sure that this doesn't render your entire page.

Some aspects of this answer were highlighted in other answers, but I wanted to bring all of the elements together, including the difference between Javascript Escape and HTML Escape. Some answers also indicate that this feature helps avoid pasting scripts. I don't think that's the purpose of this feature. For example, if your review has a warning ("Hello") in your review, just appending it to the node will not trigger the popup. You don't put it in a function that is triggered when the page loads or by any other event. Just having a warning ('hi there') as part of your HTML doesn't mean it is running as Javascript.

Even so, I am not denying that script injection is not an option. To avoid this, you need to take steps when storing the user data in your database. The function and example you provided are for rendering the information that has already been saved.

I hope this helps and answers your question.

We use cookies and other tracking technologies to improve your browsing experience on our website, to show you personalized content and targeted ads, to analyze our website traffic, and to understand where our visitors are coming from.

By continuing, you consent to our use of cookies and other tracking technologies and affirm you're at least 16 years old or have consent from a parent or guardian.

You can read details in our Cookie policy and Privacy policy.