Linter: `erb-no-unsafe-script-interpolation` docs is wrong and interferes with `erb-no-unsafe-raw`

[t27duck]

erb-no-unsafe-script-interpolation says to not use escape_javascript or j() in erb in script tags.

The docs say to do something like this:

<script>
  var name = <%= user.name.to_json %>;
</script>

This actual breaks the resulting Javascript as to_json is not flagged as safe by Rails by default resulting in:

<script>
  var name = &quot;Someone&quot;;
</script>

To unbreak it, you have to call html_safe on it:

<script>
  var name = <%= user.name.to_json.html_safe %>;
</script>

However, this interferes with erb-no-unsafe-raw.

[marcoroth]

Good point, I guess the #to_json option doesn't quite work for string values.

I guess, ideally this should work:

<script>
  var name = "<%= user.name %>";
</script>

or maybe:

<script>
  var name = "<%= html_escape(user.name) %>";
</script>

You don't want to have the server-side responsible for rendering the quotes.

[t27duck]

#to_json also doesn't work for hashes... or anything really. Rails escapes everything.

var data = <%= { a: "b" }.to_json %>;

becoems

var data = {"a":"b"};

Also I think you mean html_escape_once? https://api.rubyonrails.org/classes/ERB/Util.html#method-c-html_escape_once

[marcoroth]

Right, I guess this might work differently in ActionView as it uses ActiveSupport::SafeBuffer which automatically escapes by default. I'll need to check how we can make this work with ActionView. We ported this rule directly form https://github.com/Shopify/erb_lint?tab=readme-ov-file#erbsafety and I guess that it was tuned for the usage with BetterHtml and not with ActionView.