[LRUG] Double submit

Andrew Stewart boss at airbladesoftware.com
Thu Feb 13 09:12:43 PST 2014


On 18 Jan 2014, at 10:45, James Coglan <jcoglan at gmail.com> wrote:
> 
> On 17 January 2014 14:22, Andrew Stewart <boss at airbladesoftware.com> wrote:
> I wrote this five years ago and haven't needed to revisit it since.  These days there are doubtless better ways to handle AJAX responses and update the page ;)
> 
> No, this is a perfectly fine way to things, especially since Rails provides XSS protection when rendering HTML on the server. The main other sensible way to do this is for the server to return JSON, and have the client-side code turn that into HTML. You do however need to make sure the client-side code performs HTML-escaping of content to avoid XSS attacks, or use a templating language like EJS or Jade that does this for you.
> 
> Although Rails encourages it, you should not return JavaScript in response to an Ajax call, especially not for GET requests since it leads to CSRF attacks. See https://github.com/jcoglan/unsafe_sjr for a demo. 

Following this logic, I presume the only safe way to update multiple parts of a page in response to an AJAX call is to return JSON containing the various updated snippets, and have the client-side handler extract those snippets and update the page with them?

Yours,
Andrew


More information about the Chat mailing list