Missing escape of labels

Question

Missing escape of labels

jacobat opened this issue 12 years ago · 4 comments

The following piece of code will break when trying to run in the browser:

data_table = GoogleVisualr::DataTable.new
data_table.new_column('number', "It's my party" )
chart = GoogleVisualr::Interactive::SteppedAreaChart.new(data_table, {})
chart.to_js('div_id')

If I puts the to_js call I get:

<script type='text/javascript'>
  google.load('visualization','1', {packages: ['corechart'], callback: function() {
    var data_table = new google.visualization.DataTable();data_table.addColumn('number', 'It's my party');
    var chart = new google.visualization.SteppedAreaChart(document.getElementById('div_id'));
    chart.draw(data_table, {});
  }});
</script>

Where the problem is:

data_table.addColumn('number', 'It's my party');

The quote in It's is what's breaking the javascript.

Answer 1 · 2012-12-20T17:41:11.000Z

You should use render_chart helper method instead of calling to_js directly, i.e.

render_chart(chart, 'div_id')

The render_chart helper performs the proper html escaping before returning.

Answer 2 · 2012-12-21T03:07:05.000Z

@jacobat is right. I didn't escape the labels:

@cols.each do |column|
    js << "data_table.addColumn("
    if column[:role].nil?
      js << column.map{ |key, value| "'#{value}'" }.join(", ")
    else
      js << "{" + column.map{ |key, value| "#{key}: '#{value}'" }.join(", ") + "}"
    end
    js << ");"
end

Answer 3 · 2012-12-23T19:54:56.000Z

Would it be possible to construct the JS strings with to_json instead?

Say:

      @cols.each do |column|
        js << "data_table.addColumn("
        js << column.to_json
        js << ");"
      end

Answer 4 · 2013-01-19T14:12:27.000Z

Fixed. Thank you!