Use <script type="application/json"> for props and store

[cheremukhin23]

See discussion in #760

Change code according to unresolved discussions in #760

---

This change is 

[justin808]

Looks excellent! Just a couple small comments.

---

Reviewed 13 of 17 files at r1, 2 of 4 files at r2.
Review status: all files reviewed at latest revision, 4 unresolved discussions, some commit checks failed.

---

lib/react_on_rails/react_component/options.rb, line 9 at r2 (raw file):

      NO_PROPS = {}.freeze
      HIDDEN = "display:none".freeze

I think we can remove HIDDEN

---

lib/react_on_rails/react_component/options.rb, line 57 at r2 (raw file):

      end

      def style

We can probably remove style since we're removing HIDDEN

---

spec/dummy/spec/helpers/react_on_rails_helper_spec.rb, line 62 at r2 (raw file):

    let(:id) { "App-react-component-0" }

    # rubocop:disable Metrics/LineLength

You can break the string with \ at the end, so the line is not crazy long, and remove the lint disable

---

spec/dummy/spec/helpers/react_on_rails_helper_spec.rb, line 93 at r2 (raw file):

      let(:react_definition_script) do
        # rubocop:disable Metrics/LineLength

try to avoid if possible

---

Comments from Reviewable

[justin808]

@cheremukhin23: CI failures:

Failures:
  1) Pages/Index Server Rendering with Options changes name in message according to input
     Failure/Error: is_expected.to have_content new_text
       expected to find text "John Doe" in "Hello, Mr. Server Side Rendering!"
     Shared Example Group: "React Component" called from ./spec/features/integration_spec.rb:61
     # ./spec/features/integration_spec.rb:9:in `block (2 levels) in change_text_expect_dom_selector'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/capybara-2.12.1/lib/capybara/session.rb:310:in `within'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/capybara-2.12.1/lib/capybara/dsl.rb:52:in `block (2 levels) in <module:DSL>'
     # ./spec/features/integration_spec.rb:8:in `block in change_text_expect_dom_selector'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/capybara-2.12.1/lib/capybara/session.rb:310:in `within'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/capybara-2.12.1/lib/capybara/dsl.rb:52:in `block (2 levels) in <module:DSL>'
     # ./spec/features/integration_spec.rb:6:in `change_text_expect_dom_selector'
     # ./spec/features/integration_spec.rb:18:in `block (2 levels) in <top (required)>'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/rspec-retry-0.5.3/lib/rspec/retry.rb:112:in `block in run'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/rspec-retry-0.5.3/lib/rspec/retry.rb:101:in `loop'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/rspec-retry-0.5.3/lib/rspec/retry.rb:101:in `run'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/rspec-retry-0.5.3/lib/rspec_ext/rspec_ext.rb:12:in `run_with_retry'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/rspec-retry-0.5.3/lib/rspec/retry.rb:30:in `block (2 levels) in setup'
  2) Turbolinks across pages changes name in message according to input
     Failure/Error: is_expected.to have_content new_text
       expected to find text "John Doe" in "Hello, Mr. Server Side Rendering!"
     # ./spec/features/integration_spec.rb:9:in `block (2 levels) in change_text_expect_dom_selector'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/capybara-2.12.1/lib/capybara/session.rb:310:in `within'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/capybara-2.12.1/lib/capybara/dsl.rb:52:in `block (2 levels) in <module:DSL>'
     # ./spec/features/integration_spec.rb:8:in `block in change_text_expect_dom_selector'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/capybara-2.12.1/lib/capybara/session.rb:310:in `within'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/capybara-2.12.1/lib/capybara/dsl.rb:52:in `block (2 levels) in <module:DSL>'
     # ./spec/features/integration_spec.rb:6:in `change_text_expect_dom_selector'
     # ./spec/features/integration_spec.rb:72:in `block (2 levels) in <top (required)>'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/rspec-retry-0.5.3/lib/rspec/retry.rb:112:in `block in run'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/rspec-retry-0.5.3/lib/rspec/retry.rb:101:in `loop'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/rspec-retry-0.5.3/lib/rspec/retry.rb:101:in `run'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/rspec-retry-0.5.3/lib/rspec_ext/rspec_ext.rb:12:in `run_with_retry'
     # /home/travis/.rvm/gems/ruby-2.3.1/gems/rspec-retry-0.5.3/lib/rspec/retry.rb:30:in `block (2 levels) in setup'
Finished in 49.89 seconds (files took 5.38 seconds to load)
72 examples, 2 failures
Failed examples:
rspec ./spec/features/integration_spec.rb[1:2:2] # Pages/Index Server Rendering with Options changes name in message according to input
rspec ./spec/features/integration_spec.rb:68 # Turbolinks across pages changes name in message according to input

[cheremukhin23]

Review status: 14 of 15 files reviewed at latest revision, 4 unresolved discussions.

---

spec/dummy/spec/helpers/react_on_rails_helper_spec.rb, line 62 at r2 (raw file):

Previously, justin808 (Justin Gordon) wrote…

You can break the string with \ at the end, so the line is not crazy long, and remove the lint disable

Deleted rubocop exclusions and formatted string. Since we use squish on string, we can just format the string to be readable

---

spec/dummy/spec/helpers/react_on_rails_helper_spec.rb, line 93 at r2 (raw file):

Previously, justin808 (Justin Gordon) wrote…

try to avoid if possible

Deleted rubocop exclusion

---

Comments from Reviewable

[cheremukhin23]

Review status: 13 of 15 files reviewed at latest revision, 4 unresolved discussions.

---

lib/react_on_rails/react_component/options.rb, line 9 at r2 (raw file):

Previously, justin808 (Justin Gordon) wrote…

I think we can remove HIDDEN

Removed it

---

lib/react_on_rails/react_component/options.rb, line 57 at r2 (raw file):

Previously, justin808 (Justin Gordon) wrote…

We can probably remove style since we're removing HIDDEN

Removed it

---

spec/dummy/spec/helpers/react_on_rails_helper_spec.rb, line 62 at r2 (raw file):

Previously, cheremukhin23 (Dmitriy Cheremukhin) wrote…

Deleted rubocop exclusions and formatted string. Since we use squish on string, we can just format the string to be readable

Changed format to single quotes and \

---

spec/dummy/spec/helpers/react_on_rails_helper_spec.rb, line 93 at r2 (raw file):

Previously, cheremukhin23 (Dmitriy Cheremukhin) wrote…

Deleted rubocop exclusion

Changed format to single quotes and \

---

Comments from Reviewable

[cheremukhin23]

Currently CI fails because the lib can't handle props: @app_props_server_render.to_json , only props: @app_props_server_render. It seems it happens because of code in clientStartup.js.
props = JSON.parse(el.textContent) can't be properly parsed
Working on this issue now

[coveralls]

Coverage increased (+0.006%) to 97.903% when pulling 09b03e5 on cheremukhin23:script-tag into cca1351 on shakacode:master.

[cheremukhin23]

@justin808 All checks pass now

[justin808]

One really important comment:

I think that the conversion of the string JSON props to an object should happen on the Rails side, so that there's no need to double parse on the client side.

We also need a unit test to confirm that a XSS cannot be introduced if the JSON string is passed, rather than object.

---

Reviewed 4 of 4 files at r4.
Review status: all files reviewed at latest revision, 2 unresolved discussions.

---

node_package/src/clientStartup.js, line 101 at r4 (raw file):

  const context = findContext();
  const jsonEl = JSON.parse(el.textContent, (key, value) =>
    (key === 'props' && typeof value === 'string' ? JSON.parse(value) : value),

I think that the conversion of the string JSON props to an object should happen on the Rails side, so that there's no need to double parse on the client side.

We also need a unit test to confirm that a XSS cannot be introduced if the JSON string is passed, rather than object.

---

Comments from Reviewable

[cheremukhin23]

Moved this part to the Rails side

---

Review status: 11 of 15 files reviewed at latest revision, 3 unresolved discussions.

---

node_package/src/clientStartup.js, line 101 at r4 (raw file):

Previously, justin808 (Justin Gordon) wrote…

I think that the conversion of the string JSON props to an object should happen on the Rails side, so that there's no need to double parse on the client side.

We also need a unit test to confirm that a XSS cannot be introduced if the JSON string is passed, rather than object.

Moved it to the rails side to ReactOnRails::ReactComponent::Options. Now we parse all incoming props to hash. Wrote test to ensure we have sanitized react component after passing props as json string

---

Comments from Reviewable

[cheremukhin23]

@justin808 Should work after build is passed. Any comments on last improvements?

[coveralls]

Coverage increased (+0.008%) to 97.906% when pulling d186aa1 on cheremukhin23:script-tag into cca1351 on shakacode:master.

[coveralls]

Coverage increased (+0.008%) to 97.906% when pulling d186aa1 on cheremukhin23:script-tag into cca1351 on shakacode:master.

[coveralls]

Coverage increased (+0.008%) to 97.906% when pulling d186aa1 on cheremukhin23:script-tag into cca1351 on shakacode:master.

[justin808]

Looks EXCELLENT!

We just need the CHANGELOG.md entry and I'll release this.

---

Reviewed 4 of 4 files at r5.
Review status: all files reviewed at latest revision, all discussions resolved.

---

Comments from Reviewable

[justin808]

---

Reviewed 1 of 1 files at r6.
Review status: all files reviewed at latest revision, all discussions resolved.

---

Comments from Reviewable

[coveralls]

Coverage increased (+0.008%) to 97.906% when pulling 82adca1 on cheremukhin23:script-tag into cca1351 on shakacode:master.

[squadette]

Hi, sorry for disappearance.

I've upgraded my project to react-on-rails to 6.9.2 and tested, it works perfectly. Thanks for finishing that!

[justin808]

@squadette Please update to 6.9.3!