apneadiving
commented
9 years ago How do you use the json?
(For your bonus, just remove the markers temp var, blocks should return the results
Open jerefrer opened 9 years ago
apneadiving
commented
9 years ago How do you use the json?
(For your bonus, just remove the markers temp var, blocks should return the results
jerefrer
commented
9 years ago I'm using the JSON like this in a HAML view:
:javascript
handler = Gmaps.build('Google');
handler.buildMap({ provider: {}, internal: {id: 'map'}}, function(){
markers = handler.addMarkers(#{@map_markers});
handler.bounds.extendWith(markers);
handler.fitMapToBounds();
});I think I've tried every possible combination of to_json and html_safe either in the controller or the view. This led me to think that this has become impossible to do for the sake of XSS safety.
For the bonus question, the thing is that without_html_escaping_in_json actually returns the value of ActiveSupport.escape_html_entities_in_json = true because it's the last line, so build_markers returns true instead of the return value of Gmaps4rails.build_markers.
apneadiving
commented
9 years ago Weird, I dont have such kinds of issues. I have no computer around to try though.
For bonus:
def without_html_escaping_in_json(&block)
ActiveSupport.escape_html_entities_in_json = false
result = yield
ActiveSupport.escape_html_entities_in_json = true
result
endHaha so simple I didn't believe we could do this :) Thanks !
I've been unable to add an html infowindow to my markers because Rails wouldn't stop escaping html characters (
<to\u003for instance).It seems Rails 4 added this to prevent XSS attacks.
The only way I found to bypass this is to disable the escaping with
ActiveSupport.escape_html_entities_in_json = false. See http://stackoverflow.com/questions/17936318/why-does-is-rails-4-unicode-escaping-in-to-jsonWhat do you think ?
Here's what I'm doing in the controller:
Bonus question: How do I get rid of this ugly
markers = nilandmarkersat the end of thebuild_markersmethod ?