Why is my Rails app redirecting to `data:,`?

StackOverflow https://stackoverflow.com/questions/20530292

Pregunta

So when I save a record in my Rails 4 app this happens. Here's some details:

  • I'm using the Ace editor.
  • The data attribute is no where in my model or app.
  • The form is a standard form_for (not remote).
  • The record does save successfully but then it redirects to this weird ass URL.

The code for the update is standard scaffold boilerplate.

# PATCH/PUT /pages/1
# PATCH/PUT /pages/1.json
def update
  respond_to do |format|
    if @page.update(page_params)
      format.html { redirect_to @page, notice: 'Page was successfully updated.' }
      format.json { head :no_content }
    else
      format.html { render action: 'edit' }
      format.json { render json: @page.errors, status: :unprocessable_entity }
    end
  end
end

Anyone have any ideas? Probably something simple but I can't for the life of me figure this one out. Let me know if there's any other pertinent information I can share.

¿Fue útil?

Solución

In your specific case (the one shown in your quickcast), Chrome is considering this a security risk because you're submitting a <script> element containing javascript that's being inserted into the renderable contents of the page using [Rails' built-in] asynchronous javascript.

To avoid this, you could:

  1. Strip out the wrapping <script> tags using client-side logic before submitting the form, and then add them back in on the server before saving the record.
  2. Disable Rails' built-in ajaxification of the update action in this controller, so that it submits through plain old HTML
  3. Add an intermediary redirect page between form submittal and viewing the show action

Otros consejos

I believe it is because your @page show view is rendering escaped HTML and Javascript. Chrome probably has heuristics to analyze the page and determine what type of document it is. Since it likely doesn't start with <html>, then Chrome assumes it is a data file with the data: protocol. Try rendering to a string and printing the results on the console:

http://guides.rubyonrails.org/layouts_and_rendering.html#using-render

puts render_to_string @page

See section 4.1.1 http://guides.rubyonrails.org/security.html#redirection

data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K

Please update your answer with the show view template, the show action, and the log from render_to_string.

Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top