A lot of people use the js responder with ujs, but there are often bugs with how jQuery handles the automatic code execution of js ajax responses, so I agree, it's something I wouldn't mind deprecating.
One reason people tend to use js responders is to use js.erb to embed values from ruby into the returned js, but I think a better way to do this is to use json and HTML data attributes to embed values when necessary. On Nov 28, 2013 3:49 PM, "Aaron Patterson" <[email protected]> wrote: > On Thu, Nov 28, 2013 at 12:41:37AM -0800, Egor Homakov wrote: > > https://github.com/rails/rails/issues/12374#issuecomment-29446761 > > > > Here in discussion I proposed to deprecate JS responder because this > > technique is insecure and not pragmatic way to transfer data. > > It can be exploited in this > > way > http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html > > > > i find this bug very often so i know what i'm talking about. With it > > attacker can steal user data and authenticity_token if templates with > form > > were leaked too. > > Removing it seems fine to me, but I suppose we should deprecate it > first. Don't people need to specifically say "render js: whatever"? > > I think 100% of "render js:" cases can be implemented using JSON. But > maybe I am wrong. > > -- > Aaron Patterson > http://tenderlovemaking.com/ > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
