2

I would like to pass params hash into jQuery. The thing is, I want to pass an array of strings.

For now I am using: In HAML:

.hidden{id: 'correct_solutions_params', data: {correct_solutions: params[:task][:correct_solutions]}}

which gives following HTML:

<div class="hidden" data-correct-solutions="["a", "c", "d"]" id="correct_solutions_params"></div>

Obviously

params[:task][:correct_solutions] = ['a', 'c', 'd']

And now I should access data in jQuery (did not try yet, but should work):

var datadump = ($('#correct_solutions_params').data('correct-solutions'));

The thing is, that this trick is really old. I am using Rails 5. Is there a better, newer solution then this? Is that considered secure?

  • have a question: is it double quoted like this `data-correct-solutions="["a", "c", "d"]"`. Shouldn't an HTML attribute have single quotes if it contains double quotes within ? – trk Sep 09 '17 at 15:55
  • Thanks. Can you just post the exact string it posts (or as seen in the inspector) ? – trk Sep 09 '17 at 15:57
  • Sorry about my earlier comment. Actually inspect shows double quote twice - double quote inside double quote (exactly what was in the post pre-edit and what is right now). So inspector shows `data-correct-solutions="["a", "c", "d"]"` –  Sep 09 '17 at 15:58
  • are you able to put a single quotes through your `task` method when you serialize it ? – trk Sep 09 '17 at 16:19

1 Answers1

0

Is that considered secure?

Depends on what data are you storing here but in general, if you consider this data sensitive, this is not considered secured someone can inspect the HTML elements and easily change values and then you could have someone pass what he wants to your jquery code

The thing is, that this trick is really old. I am using Rails 5. Is there a better, newer solution than this?

Not really sure I understood what you want to do but if you want to read Get params then you can directly read them from your js code

One other way is to use embedded ruby inside you js script then you can read the params directly from there with something like

var datadump = <%= params[:...] %>

Otherwise, your method will do

Mshka
  • 1,798
  • 1
  • 10
  • 19
  • Hey, in this exact situation, data is not sensitive, but I wanted to know for future. I was more concerned about some kind of attacks like XSS. The thing is, in rails URL does not store params (it's not visible in URL), so I cannot read it from there. –  Sep 10 '17 at 10:25
  • @Kappa if you can't read them from the URL best way IMH is the current method that you are using _(since data is not sensitive)_ for future use rails is aware of such attacks and they have a documentation on how you can prevent this you can check it here http://guides.rubyonrails.org/security.html#cross-site-scripting-xss – Mshka Sep 11 '17 at 16:14