fix: use raw output for .to_json in cropper and uploader script tags

tvdeyen · tvdeyen · commit ee9cdc5bc052 · 2026-03-18T18:13:27.000+01:00
ERB's &lt;%= %&gt; HTML-escapes the output, turning JSON double quotes into
&amp;quot; entities which produces invalid JavaScript inside script tags.
Using &lt;%== %&gt; outputs raw JSON, which is correct because script blocks
do not need HTML escaping. Add minimal feature specs for both partials
to catch this class of issue.
diff --git a/app/views/alchemy/admin/crop.html.erb b/app/views/alchemy/admin/crop.html.erb
@@ -22,7 +22,7 @@
 
   const image = document.getElementById("imageToCrop")?.querySelector("img");
 
-  new ImageCropper(image, <%= @settings.merge(
+  new ImageCropper(image, <%== @settings.merge(
     crop_from_form_field_id: params[:crop_from_form_field_id],
     crop_size_form_field_id: params[:crop_size_form_field_id],
     element_id: @element.id
diff --git a/app/views/alchemy/admin/uploader/_setup.html.erb b/app/views/alchemy/admin/uploader/_setup.html.erb
@@ -1,3 +1,3 @@
 <script>
-  Alchemy.uploader_defaults = <%= Alchemy.config.uploader.to_json %>
+  Alchemy.uploader_defaults = <%== Alchemy.config.uploader.to_json %>
 </script>
diff --git a/spec/features/admin/crop_feature_spec.rb b/spec/features/admin/crop_feature_spec.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+RSpec.describe "Image Cropper", type: :system do
+  before do
+    authorize_user(:as_admin)
+  end
+
+  let(:element) { create(:alchemy_element, name: "all_you_can_eat") }
+  let(:picture) { create(:alchemy_picture) }
+  let(:ingredient) do
+    create(:alchemy_ingredient_picture, element: element, picture: picture)
+  end
+
+  it "renders image cropper settings as valid JavaScript" do
+    visit alchemy.crop_admin_ingredient_path(ingredient, picture_id: picture.id)
+    expect(page).to have_content("new ImageCropper(image, {")
+  end
+end
diff --git a/spec/features/admin/uploader_setup_feature_spec.rb b/spec/features/admin/uploader_setup_feature_spec.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+RSpec.describe "Uploader setup", type: :system do
+  before do
+    authorize_user(:as_admin)
+  end
+
+  it "renders uploader defaults as valid JavaScript" do
+    visit admin_dashboard_path
+    expect(page).to have_content("Alchemy.uploader_defaults = {")
+  end
+end
