klass always trusted, but safer pattern

ankane · Jun 4, 2019 · 7d9396c · 7d9396c
1 parent cad8cf9
commit 7d9396c
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/chartkick/helper.rb b/lib/chartkick/helper.rb
@@ -74,15 +74,15 @@ def chartkick_chart(klass, data_source, **options)
 
       # js vars
       js_vars = {
-        type: klass, # don't convert to JSON, but still escape
+        type: klass.to_json,
         id: element_id.to_json,
         data: data_source.respond_to?(:chart_json) ? data_source.chart_json : data_source.to_json,
         options: options.to_json
       }
       js_vars.each_key do |k|
         js_vars[k] = chartkick_json_escape(js_vars[k])
       end
-      createjs = "new Chartkick.%{type}(%{id}, %{data}, %{options});" % js_vars
+      createjs = "new Chartkick[%{type}](%{id}, %{data}, %{options});" % js_vars
 
       if defer
         js = <<JS