Pass variables to JavaScript in ExpressJS

Question

I am completely lost on this; I am using NodeJS to fetch a JSON and I need to pass the variable to my page and have JavaScript use the data.

app.get('/test', function(req, res) {
    res.render('testPage', {
        myVar: 'My Data'
    });

That is my Express code (very simple for testing purposes); now using EJS I want to gather this data which I know to render on the page is simply

<%= myVar %>

But I need to be able to gather this data in JavaScript (if possible within a .js file) but for now just to display the variable in an Alert box I have tried

In Jade it is like alert('!{myVar}') or !{JSON.stringify(myVar)}. Can I do something similar in EJS. I don't need any field like <input type=hidden> and taking the value of the field in javascript. If anyone can help be much appreciated

robertklep · Accepted Answer · 2015-08-28T14:10:06.697

80

You could use this (client-side):

<script>
  var myVar = <%- JSON.stringify(myVar) %>;
</script>

You could also get EJS to render a .js file:

app.get('/test.js', function(req, res) {
  res.set('Content-Type', 'application/javascript');
  res.render('testPage', { myVar : ... });
});

However, the template file (testPage) would still need to have the .html extension, otherwise EJS won't find it (unless you tell Express otherwise).

As @ksloan points out in the comments: you do have to be careful what myVar contains. If it contains user-generated content, this may leave your site open for script injection attacks.

A possible solution to prevent this from happening:

<script>
  function htmlDecode(input){
    var e = document.createElement('div');
    e.innerHTML = input;
    return e.childNodes.length === 0 ? "" : e.childNodes[0].nodeValue;
  }
  var myVar = JSON.parse(htmlDecode("<%= JSON.stringify(myVar) %>"));
</script>

edited Aug 28 '15 at 14:10

answered Apr 19 '13 at 06:39

robertklep

198,204
35
394
381

btw, I managed to get ejs to recognise a .js template by adding this to my server.js app.engine('js', require('ejs').renderFile); – Michael Dausmann Apr 21 '13 at 22:37
You can also use some simple ou double quotes surround the code. <%-JSON.stringify(myVar) %>; to "<%- JSON.stringify(myVar) %>;" – Ito Jan 26 '14 at 19:21
2

be careful, because if myVar has any user-generate content in it, your site will be vulnerable to XSS attacks – ksloan Aug 27 '15 at 20:45
@ksloan using `JSON.stringify()`? – robertklep Aug 27 '15 at 20:59
3

@robertklep yes, look at this example: https://jsfiddle.net/k1x230d8/ (it just send an alert). This works since ```JSON.stringify(" – ksloan Aug 28 '15 at 00:31
@ksloan of course, you're right. I edited the answer to point this issue out. – robertklep Aug 28 '15 at 06:33
JSON.parse will fail if myVar has a property with value with unescaped double quote – user732456 Feb 21 '16 at 12:38
I just tested your suggestion with htmlDecode that should prevent XSS. However, unless I'm mistaken, it doesn't seem to work. Check this fiddle: https://jsfiddle.net/a6618gv2/1/ – Kito Feb 22 '16 at 13:08
1

@Kito it works _iff_ `myVar` is passed as a variable from Express to EJS. Your fiddle skips that step (and in fact throws an EJS exception if used as template). – robertklep Feb 22 '16 at 13:34
If you render without template, can you still pass variables `res.render('test.js', { myVar : ... });`? I'd like to preserve the `js` file extension – João Pimentel Ferreira Dec 31 '17 at 17:43
@JoãoPimentelFerreira `res.render()` by definition requires a template, although you can probably set Express/EJS up so that you can use the `.js` extension for templates as well. – robertklep Dec 31 '17 at 17:45
@robertklep according to the documentation of EJS "If the path (of the view) does contain a file extension, then Express will load the module for the specified template engine (via require()) and render it using the loaded module’s __express function." My question is whether there is any simple template for js files or how can I simple render a js file with an absolute path. – João Pimentel Ferreira Dec 31 '17 at 17:52
2

@JoãoPimentelFerreira you can still use EJS to "render" `.js` files, like this: `app.engine('js', require('ejs').renderFile)` (and put the `.js` file in the "views" directory) – robertklep Dec 31 '17 at 17:55
@robertklep thank you so much. And if I want to have my js file in another directory? – João Pimentel Ferreira Dec 31 '17 at 18:12
1

@JoãoPimentelFerreira you can change the location of the views directory (or set more than one) using [`app.set('views', ...)`](http://expressjs.com/en/4x/api.html#app.settings.table) – robertklep Dec 31 '17 at 18:13
Note that if your dataset is very large, it might be broken up into multiple nodes, and hence e.childNodes with have a length of more than 1. To concatenate the data, use the normalize function, i.e `e.normalize()` on the line before the return statement. – JohnDoe Jan 07 '21 at 15:11

Raphaël Champeimont · Answer 2 · 2016-06-20T12:10:15.360

The main difficulty here is to avoid XSS risks if myVar contains quotes, or </script> for example. To avoid this problem, I propose to use Base64 encoding after JSON.stringify. This would avoid all risks related to quotes or HTML tags since Base64 only contains "safe" characters to put in a quoted string.

The solution I propose:

EJS file:

<script>
  var myVar = <%- passValue(myVar) %>
</script>

which will render into something like (for example here myVar = null):

<script>
  var myVar = JSON.parse(Base64.decode("bnVsbA=="))
</script>

Server-side NodeJS:

function passValue(value) {
  return 'JSON.parse(Base64.decode("' + new Buffer(JSON.stringify(value)).toString('base64') + '"))'
}

Client-side JS (this is an implementation of Base64 decoding that works with Unicode, you can use another if you prefer but be careful if it supports Unicode):

var Base64={_keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",encode:function(e){var t="";var n,r,i,s,o,u,a;var f=0;e=Base64._utf8_encode(e);while(f<e.length){n=e.charCodeAt(f++);r=e.charCodeAt(f++);i=e.charCodeAt(f++);s=n>>2;o=(n&3)<<4|r>>4;u=(r&15)<<2|i>>6;a=i&63;if(isNaN(r)){u=a=64}else if(isNaN(i)){a=64}t=t+this._keyStr.charAt(s)+this._keyStr.charAt(o)+this._keyStr.charAt(u)+this._keyStr.charAt(a)}return t},decode:function(e){var t="";var n,r,i;var s,o,u,a;var f=0;e=e.replace(/[^A-Za-z0-9\+\/\=]/g,"");while(f<e.length){s=this._keyStr.indexOf(e.charAt(f++));o=this._keyStr.indexOf(e.charAt(f++));u=this._keyStr.indexOf(e.charAt(f++));a=this._keyStr.indexOf(e.charAt(f++));n=s<<2|o>>4;r=(o&15)<<4|u>>2;i=(u&3)<<6|a;t=t+String.fromCharCode(n);if(u!=64){t=t+String.fromCharCode(r)}if(a!=64){t=t+String.fromCharCode(i)}}t=Base64._utf8_decode(t);return t},_utf8_encode:function(e){e=e.replace(/\r\n/g,"\n");var t="";for(var n=0;n<e.length;n++){var r=e.charCodeAt(n);if(r<128){t+=String.fromCharCode(r)}else if(r>127&&r<2048){t+=String.fromCharCode(r>>6|192);t+=String.fromCharCode(r&63|128)}else{t+=String.fromCharCode(r>>12|224);t+=String.fromCharCode(r>>6&63|128);t+=String.fromCharCode(r&63|128)}}return t},_utf8_decode:function(e){var t="";var n=0;var r=c1=c2=0;while(n<e.length){r=e.charCodeAt(n);if(r<128){t+=String.fromCharCode(r);n++}else if(r>191&&r<224){c2=e.charCodeAt(n+1);t+=String.fromCharCode((r&31)<<6|c2&63);n+=2}else{c2=e.charCodeAt(n+1);c3=e.charCodeAt(n+2);t+=String.fromCharCode((r&15)<<12|(c2&63)<<6|c3&63);n+=3}}return t}}

score 9 · Answer 3 · answered Feb 03 '16 at 13:26

9

if you have more complex objects like an array, you can do this :

<% if (myVar) { %>
   <script>
      myVar = JSON.parse('<%- JSON.stringify(myVar) %>');
   </script>
<% } %>

otherwise, previous solutions you have seen will not work

answered Feb 03 '16 at 13:26

Benjamin Fuentes

674
9
22

It was working without this `JSON.parse(JSON.stringify())` trick, but VS Code was showing an "Expression expected" error (even with the EJS language support extension). Now it doesn't anymore =D. – Drarig29 Jul 23 '21 at 20:00

score 4 · Answer 4 · answered Apr 19 '13 at 06:29

4

Try this:

<script type="text/javascript">
     window.addEventListener('load', function(){
         alert('<%= myVar %>');
     });
</script>

answered Apr 19 '13 at 06:29

karaxuna

26,752
13
82
117

score 3 · Answer 5 · answered Jan 09 '19 at 08:02

3

Heres how i made it work, in node js pass the json like this

let j =[];
//sample json
j.push({data:"hi});

res.render('index',{json:j});

now in js function

var json = JSON.parse('<%- JSON.stringify(json) %>');

This worked well for me

answered Jan 09 '19 at 08:02

Jerin A Mathews

8,572
4
26
49

spitz · Answer 6 · 2015-08-05T22:17:27.577

0

Per the documentation here:

Go to the Latest Release, download ./ejs.js or ./ejs.min.js.

Include one of these on your page, and ejs.render(str).

edited Aug 05 '15 at 22:17

answered Aug 01 '15 at 02:15

spitz

103
1
7

user732456 · Answer 7 · 2016-02-22T10:19:40.020

In the accepted solution JSON.parse will fail if myVar has a property with value with unescaped double quote. So better traverseObj and escape each string property.

Here is a function that covers my case:

function traverseObj (obj, callback)
{
    var result = {};
    if ( !isArray(obj) && !isObject(obj) ) {
         return callback(obj);
    }

    for ( var key in obj ) {
        if ( obj.hasOwnProperty(key) ) {
            var value = obj[key];
            if (isMongoId(value)){
                var newValue = callback(value.toString());
                result[key] = newValue;
            }
            else if (isArray ( value) ) {
                var newArr = [];
                for ( var i=0; i < value.length; i++ ) {
                    var arrVal = traverseObj(value[i], callback);
                    newArr.push(arrVal);
                }
                result[key] = newArr;
            }
            else if ( isObject(value) ) {
                result[key] = traverseObj(value, callback);
            }
            else {
                var newValue = callback(value);
                result[key] = newValue;
            }
        }
    }
    return result;
};

Than in ejs you simply has to:

<%
    var encodeValue = function(val) {
        if ( typeof val === 'string' ) {
            return sanitizeXSS(val); //use some library (example npm install xss)
        }
        return val;
    }

    var encodedProduct = ejs_utils.traverseObj(product, encodeValue);
%>

and now you can transport is safely with unescaped syntax

window.product = <%-JSON.stringify(encodedProduct)%>;

score 0 · Answer 8 · answered Jul 13 '20 at 15:43

0

I had the similar problem. i got the value

var inJavascript = JSON.parse("<%= myVar %>");

answered Jul 13 '20 at 15:43

Mahmud

141
2
7

Pass variables to JavaScript in ExpressJS

8 Answers8

Linked

Related