Javascript with embedded Ruby: How to safely assign a ruby value to a javascript variable

Question

I have this line in a javascript block in a page:

res = foo('<%= @ruby_var %>');

What is the best way to handle the case where @ruby_var has a single-quote in it? Else it will break the JavaScript code.

TFKyle · Accepted Answer · 2008-09-20T00:58:42.753

11

I think I'd use a ruby JSON library on @ruby_var to get proper js syntax for the string and get rid of the '', fex.:

res = foo(<%= @ruby_var.to_json %>)

(after require "json"'ing, not entirely sure how to do that in the page or if the above syntax is correct as I havn't used that templating language)

(on the other hand, if JSON ever changed to be incompatible with js that'd break, but since a decent amount of code uses eval() to eval json I doubt that'd happen anytime soon)

edited Sep 20 '08 at 00:58

answered Sep 20 '08 at 00:29

TFKyle

856
6
12

Rails already comes with String#to_json, so you don't even need to include any libraries: http://api.rubyonrails.com/classes/Object.html#M000022 – Grant Hutchins Oct 11 '08 at 21:54
.to_json adds html quotes(") to my string – akxer Jun 06 '16 at 06:27

score 8 · Answer 2 · answered Feb 14 '12 at 19:48

Rails has method specifically dedicated to this task found in ActionView::Helpers::JavaScriptHelper called escape_javascript.

In your example, you would use the following:

res = foo('<%= escape_javascript @ruby_var %>');

Or better yet, use the j shortcut:

res = foo('<%= j @ruby_var %>');

score 2 · Answer 3 · answered Sep 20 '08 at 00:13

2

@ruby_var.gsub(/[']/, '\\\\\'')

That will escape the single quote with an apostrophe, keeping your Javascript safe!

Also, if you're in Rails, there are a bunch of Javascript-specific tools.

answered Sep 20 '08 at 00:13

Max Cantor

8,229
7
45
59

What if there was a \ already in the code? You need to escape \ before you escape '. – user11318 Sep 20 '08 at 00:26
yeah, to handle bentilly's case you need: `@ruby_var.gsub(/['\\]/, '\\\\\0')` – rampion Sep 20 '08 at 13:41

score 2 · Answer 4 · answered Sep 20 '08 at 02:24

2

Could you just put the string in a double-quote?

res = foo("<%= @ruby_var %>");

answered Sep 20 '08 at 02:24

Toby Hede

36,755
28
133
162

but then what if @ruby_var has a double quote in it? – Yoni Baciu Sep 22 '08 at 15:40

score 2 · Answer 5 · answered Oct 10 '08 at 17:34

2

You can also use inspect assuming you know it'll be a single quote:

res = foo(<%= @ruby_var.inspect %>);

answered Oct 10 '08 at 17:34

Caged

963
9
11

score 0 · Answer 6 · answered Sep 20 '08 at 15:06

I don't work with embedded Ruby too much. But how about using p (which invokes inspect) instead of <%= which might be doing something like print or puts. p always prints the string as if it were code wrapped in double quotes:

>> p "String ' \" String"
"String ' \" String"
# => nil  
>> p 'alpha " \' alpha'
"alpha \" ' alpha"
# => nil

score 0 · Answer 7 · edited Dec 14 '16 at 10:45

0

You may want to use the following first property, to get rid of the " from your string and then you can go ahead and use your json function.

res = foo('<%= @ruby_var %>.first');

edited Dec 14 '16 at 10:45

CroMagnon

1,218
7
20
32

answered Dec 14 '16 at 10:05

Rakshit Singh

169
6

Javascript with embedded Ruby: How to safely assign a ruby value to a javascript variable

7 Answers7

Linked