Sign Up

Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.

Sign In

Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.

Forgot Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

You must login to ask a question.

Please briefly explain why you feel this question should be reported.

Please briefly explain why you feel this answer should be reported.

Please briefly explain why you feel this user should be reported.

Search

Ask A Question

0

Editorial Team

Asked: May 28, 20262026-05-28T20:39:31+00:00 2026-05-28T20:39:31+00:00

I’m trying to pass model attributes to javascript through html like this: <script type=text/javascript>

0

I’m trying to pass model attributes to javascript through html like this:

<script type="text/javascript">
  myModel = <%= MyModel.all.map{|m| m.attributes}.to_json.html_safe %>;
</script>

but, it’s not safe, because one of attribute values can be a malicious string:

"</script>Evil Code<script>"

How to make it safe again?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team
2026-05-28T20:39:32+00:00Added an answer on May 28, 2026 at 8:39 pm
I’ve decided to make a helper function, which escapes each attribute with h method:

def safe_attributes_of model_class attributes = model_class.all.map do |model| model.attributes.each_with_object({}) do |(k,v), attrs| attrs[k] = h(v) end end attributes.to_json.html_safe end
0

Reply

Share
Share

Share on Facebook

Share on Twitter

Share on LinkedIn

Share on WhatsApp

Report