2

Basicaly I just want to insert this + "?direction=desc" in helper method.

But once it parses it comes out like this..

/organizations/search?order_by=contactable%3Fdirection%3Ddesc

Anyone know a way around this?

My Helper Method:

def search_sort(name, sort_by, order = 'asc')
  link_to(name, url_for(:overwrite_params => { :order_by => sort_by + "?direction=desc" :page => nil }), :class => 'selected save_pushstate')
  ...

I know what you're thinking. Just add :order into it. The problem being is that I 'm using an AJAX history saver from #175 of railscasts. 

$(".save_pushstate").live("click", function() {
  $.setFragment({"order_by" : $.queryString($(this).attr('href')).order_by});
  //$.setFragment({"direction" : $.queryString($(this).attr('href')).direction});
    return false;
});

And it rewrites my url to just one "fragment". I can't have two! So I decided that if I can just add the direction param in the href hard-coded, it could deal with this whole mess.

Trip
  • 26,756
  • 46
  • 158
  • 277
  • This is likely done by a URI.escape call somewhere. Exactly what's doing it is hard to say without seeing a bit of actual code. And do you really want another '?' in that query? – Don Roby Jan 13 '11 at 18:01
  • see answer below (about html_safe). strings on rails 3 are now scaped by default, and need to be flagged as safe before they are rendered as is on the page to prevent XSS –  Jan 13 '11 at 18:14
  • Have you checked out the latest railscasts on AJAX history state? It might prove useful for you, as it specifically refers to episode 175 as well: http://asciicasts.com/episodes/246-ajax-history-state – clemensp Jan 13 '11 at 19:16
  • that's where i started and ended up going backwards from there. unless there's something dreadflly obvious that i'm missing. – Trip Jan 13 '11 at 19:39
  • Something I just realized: you should be using & instead of ? in your appended string. – clemensp Jan 13 '11 at 19:56
  • Hmm.. it should work either way. But it still doesn't excape the XSS. Thanks though! ;) – Trip Jan 13 '11 at 20:09
  • As far as I can tell, if you leave out :escape => false, url_for should be doing the html escaping by default. – clemensp Jan 13 '11 at 20:26

1 Answers1

2

Try:

+ "?direction=desc".html_safe

Edit: Since you're using rails 2.3.5, try this:

def search_sort(name, sort_by, order = 'asc')
  link_to(name, url_for(:overwrite_params => { :order_by => sort_by + "?direction=desc" :page => nil }, :escape => false), :class => 'selected save_pushstate')
  ...

Note the ":escape => false" in url_for.

Edit2: After reading this: http://www.ruby-forum.com/topic/80381

Specifically this excerpt:

I think this is where the confusion is arising. There are two different kinds of escaping going on.

It sounds like you're talking about the URL encoding that uses '%xx' to represent special characters.

However, the html_escape function does something completely different. It takes a string and turns '&' into '&' and '<' into '<', etc., so that it can go into HTML without being interpreted as literal '&'s and '<'s.

Escaping special characters in URLs using the '%xx' scheme is mandatory, otherwise they are not valid URLs.

I've realized that the 'escaping' that you see happening is url encoding, and it shouldn't affect your query/sorting, etc. You can test it out by taking the encoded url and typing it into your browser.

:escape => false disable html escaping, which means dangerous characters get converted to display codes, such as '&' into '&' and '<' into '<', etc.,

And the "?" in your append should be "&":

+ "&direction=desc"

Hope this helps. =)

clemensp
  • 2,525
  • 23
  • 21
  • i think that might be only for rails 3? i'm using rails 2.3.5. any alternatives? – Trip Jan 13 '11 at 18:30
  • What does your helper method look like? – clemensp Jan 13 '11 at 18:44
  • I think its around in some form - does “TEST”.html_safe! work for you? http://weblog.rubyonrails.org/2010/5/24/ruby-on-rails-2-3-7-released – Chris Kimpton Jan 13 '11 at 18:45
  • Try out the alternative solution I've posted for rails 2.3.5. =) – clemensp Jan 13 '11 at 19:20
  • @clemensp, yah that :escape gives me the same bug still. went through the other tutorial a few more times.. i don't think its any better of a solution for this.. – Trip Jan 13 '11 at 19:45
  • @clemensp, yah i'm using firefox and the latest RailsCast won't work on it. I get a `history.pushstate is not a function` . Doesn't seem to be a way around it. – Trip Jan 13 '11 at 19:56