Re^9: perl dancer route template hashref pass complex json file to server issue (the reverse)

in reply to Re^8: perl dancer route template hashref pass complex json file to server issue (escape/filter)
in thread perl dancer route template hashref pass complex json file to server issue

You have it backward. You don't need to disable some template filter. You need to create and then enable an appropriate template filter.

Your templated javascript contains lines like:

   var test='<%passtoserver%>';
[download]

If the value provided for 'passtoserver' was "Don't do this", then the javascript generated by your template would be:

   var test='Don't do this';
[download]

That is a syntax error. So you need to change your template to contain lines more like:

   var test='<% passtoserver | js_str %>';
[download]

or, perhaps even better:

   var test=<% passtoserver | js_str %>;
[download]

where the "| js_str" tells the template to properly escape any characters that need to be escaped in order to be included verbatim inside of a javascript string literal (and, in the second case, also adds the enclosing quote marks).

And, no, Template::Toolkit doesn't come with a pre-built js_str filter so you'll have to create that as well.

Your problem case is due to the \ character not being escaped for similar reasons. So your template produces javascript code like:

   var test='[{"name":"test","problem":"here is the problem \" com
+ma "}]';
[download]

And, in javascript, '\"' is the same value as '"'.

- tye

Comment on Re^9: perl dancer route template hashref pass complex json file to server issue (the reverse) Select or Download Code

Replies are listed 'Best First'.
Re^10: perl dancer route template hashref pass complex json file to server issue (the reverse) by RamiD (Acolyte) on Aug 03, 2016 at 19:47 UTC
this worked for me `<%passtoserver \| replace('"', '"')%>;` [download] thanks	[reply] [d/l]
Re^10: perl dancer route template hashref pass complex json file to server issue (the reverse) by Anonymous Monk on Jul 28, 2016 at 22:46 UTC
Doesn't add quotes but it exists Template::Plugin::JavaScript - Encodes text to be safe in JavaScript `document.write("[% sometext \| js %]");`	[reply] [d/l]
Re^11: perl dancer route template hashref pass complex json file to server issue (the reverse) by RamiD (Acolyte) on Jul 30, 2016 at 10:07 UTC
thanks , the following worked with me `<!DOCTYPE html> <html> <head> </head> <body> <div style = "padding: 100px 100px 10px;"> <script> var test2=<%passtoserver \| replace('"', '"') %>; var test3=JSON.stringify(test2); alert(test3); </script> <button type="text" > </div> </body> </html>` [download] without any change in client side, Rami D.	[reply] [d/l]
Re^12: perl dancer route template hashref pass complex json file to server issue (') by tye (Sage) on Jul 30, 2016 at 19:19 UTC
I suspect that your working code does not exactly match the code that you posted above. Trying to guess some things, I encourage you to test your code against a JSON value that contains strings containing a single quote / apostrophe character, a literal backslash character, even a newline character. Update: Oh, much later I realized how the code you posted could actually work. Valid JSON strings are also valid JavaScript source code. This might well open up a vector for doing cross-site JavaScript injection attacks, though that is likely true using your old 'eval' approach as well. - tye	[reply]

In Section Seekers of Perl Wisdom