Generated page_update javascript is incorrectly escaped.

[esb]

The javascript being generated by update_page is incorrectly marked as html_safe. This causes a problem when you include an update_page fragment as an option on an HTML tag.

For example:

<%= submit_tag('Save', :disable_with => 'Please wait...', :onclick => update_page {|p| p.hide("cancel-update")}) %>

The onclick option is passed through to the tag helpers and eventually the text is processed by ERB::Util.html_escape. However, the html_escape method does not escape the string if it is marked as html_safe. All output from update_page is marked as html_safe, even though it isn't.

The output from update_page in the above example is

"Element.hide(\"cancel-update\");"

Clearly, the output has not been escaped as the " characters have not been converted -

"Element.hide("cancel-update");"

The solution is to remove the html_safe method from the output of update_page -

def update_page(&block)
  JavaScriptGenerator.new(self, &block).to_s
end

I realize that it's pretty futile raising an issue here in the hope that the official gem might be updated. However, for any other users out there with large amounts of Prototype code that can't afford to instantly convert everything to JQuery, then this might help you.

It would be nice if the Rails developers sometimes recognized that in the real world, we don't necessarily have all the resources to instantly jump on the latest bandwagon. Sadly Prototype has fallen out of favour and has now been neglected to the point where nobody bothers to fix any errors.

[fxn]

Hi @esb while we do not actively maintain this gem, if you provide a patch that fixes the issue we will apply.

[esb]

Thanks for the update. I'll generate some test cases for it tomorrow.