►
Description
In this video we pair on grokking some unusual API requests that also return JavaScript. We also discuss the best approach of unraveling this complexity.
A
So
ip
has
been
recently
pinged
on
a
list
of
some
inline
javascript,
that's
being
we're
fetching
javascript
asynchronously,
and
then
we
eval
it
and
we're
concerned
about
using
eval
because
of
security
reasons,
and
it's
also
maintainability
reasons
so
yeah.
There's
is
this
the
list
of
of
yes.
So.
B
B
I
don't
see
really
how
this
is
concerning,
like
some
yeah,
okay,
I
was
more
thinking
along
the
lines
of
these
weird
files,
so
we
have
these
find.
Let
me
just
look
for
them
yeah.
So
we
have
these
weird
files,
so
we
have
files
that
are
js
files
and
that
are
either
generated
via
hummel
or
erb,
and
I
was
thinking
along
the
lines
of
those
weird
files.
B
B
Oh
man,
yes,
and,
to
be
honest,
like
I
don't
even
know
when
it's
executed,
I
assume
it
has
something
to
do
with
the
rails,
ujs
logic,
because
all
of
these
files
or
a
lot
of
these
are
like
update.js,
show
js
destroy.js
right,
which
seem
to
kind
of
have
a
connection
to
these
interactions.
You
know,
if
you
delete
something,
I
don't
know.
If
we
want
to
look
into
those
we
could,
but
it
might
be
a
bit
of
a
rabbit
hole
and
we
won't
know
what
we
find
on
the
other
side
of
the
mirror.
C
Well,
you
know.
A
B
Let's
do
it,
let's
do
it
okay,
meanwhile,
my
gdk
is
updating
gdk.
Okay,
do
you
want
me
to
do
me
to
drive
I
just
updated
yesterday?
No,
no,
it
should
be
fine,
it
shouldn't
take
long.
I
also
think
it
should
just
be
working.
A
B
Update
dot
js
right
yeah,
something
like
that:
oh
gosh,
maybe
without
updates
somehow,
like
maybe
oh
yeah,
it
wasn't
that
smart,
but
it
should
be
in
hammer
files
right.
B
A
B
Action
format
js
render
shared
members
update.
So
if
this
is
gone
like,
if
we
can't
find
this
at
all
there,
we
do
it
format
js.
This
is
the
reason
why
we
didn't
find
it
so.
B
B
C
Great,
oh.
A
A
Let's
search
for
it
again
yeah
I
just
did
a
project
white
search
for
it.
I
don't
see
anything.
The
other
thing
is
we
could
try
running.
You
know
our
members
and
just
try
to
update
a
member
and
see
if
that
javascript
ever
gets
pinged
in
the
network
or
if
it
gets
loaded
or
something.
B
B
A
A
A
A
Oh,
and
so
then,
is
that
what
they
were
talking
about
this,
like
we
have
these
global
evals
on
these
ajax.
Oh.
B
A
Changing
their
like
on
the
drop
down,
there
would.
B
Wait
a
second
if
you
change
the
drop
down.
Yes,
oh
wow!
What
no
I'm
not?
What
did
I
do?
I
didn't
want
to
navigate
back
you're
saying
if
I'm
changing
in
the
drop
down
like
the
the
role,
I
mean
uptake
action
membershipable,
it's
a
very
funny.
Word
members
and
requesters
find
new
membershipable
current
user
member
params.
To
be
honest,
like
this
sounds
like
a
little
bit
like
if
you
update
your
own
membership.
B
A
B
Group
and
project
okay
include
membership
actions,
so
update
should
be
like.
Okay,
it's
included.
Okay,
so
memberships
require
access.
Level
expires
at
update
parents,
so
update
members
update
service
new,
execute
member
find
by
id.
So
it's
definitely
updating
new
current
user
update
params.
What
is
current
user?
Why
update
service?
Okay
members
update
service
update,
params,
execute
member
member
equals
okay.
C
It's
like
super
weird,
so
we
do
we
even
use.
Do
we
even
use
update.
A
A
A
The
if
we
had
if
we
didn't
put
the
escape
javascript
here,
yes.
A
Bad
would
happen.
We
could
verify
that
this
thing
is
being
run
by
like
maybe
we
want
to
add
a
console
log
to
that
javascript
and
like
because,
if
it's
not
being
run
I'd
say,
let's
just
remove
it.
Let's
not
even
try
to
like.
B
B
Excuse
me,
yeah
sounds
like
more
than
just
your
family
has
a
cold,
I'm
I'm
I'm
over.
It.
C
A
Okay,
but
but
I
really
just
don't
know.
A
Oh,
what's
that
a
404
looks.
A
B
B
But
why
like,
as
is
this
view-
or
is
this
maybe
maybe
it's
about
the
expiration
date.
A
No,
it
doesn't
look
viewy.
Can
you
give
me
a
selector
for
the
drop
down
or
for
one
of
these
rails?
I
was
going
to
explore
j.
B
Twice:
okay,
yeah,
so
the
selector
for
this
one
for
the
drop
down.
You
said:
yeah
yeah,
it's
it's
js,
edit
member
form.
B
Just
I
currently
have
an
mr
that
replaces
not
that
often.
A
B
To
be
honest,
sometimes
it's
really
nice
because
some
models,
some
will
actually
just
give
you
a
confirmation
model.
Yeah
yeah
data
confirm
this
is
the
one
like
if
you,
if
sometimes
it's
just
like
it
just
works,
sometimes-
and
you
know
to
be
honest,
like
sometimes
people
are
even
using
it
in
view
files.
B
A
A
I
would
be
sad
I
would
be.
I
would
be
remiss
if
we
came
across
this
and
the
thing
that
we
did
was
use
document
create
element
and
query
selector.
Instead,
instead
of
replacing
this.
B
C
B
A
Yeah,
you
bring
up
a
good
point,
so
here's
another
approach
to
this
yeah,
because
there's
actually
there's
a
couple
performance
hits
happening
by
doing
it.
This
way
one
is
like
our
you
know.
Oh
I
guess
we
have
a
whole
bunch
of
conditions,
so
the
return
body
isn't
going
to
be
so
huge
of
that
one
javascript
string
but
like
we
don't
really
need
a
return
body,
but
that
is
you
know,
that's
going
to
take
up
some
bandwidth
of
how
long
it
takes
to
update
you.
A
Also,
I
don't
remember
what
else
I
was
gonna
say
but
anyways,
so
that
we
don't
have
to
move
all
of
that
over
to
view,
and
we
could
still
do
this
in
a
vanilla
js
way.
What
if
we
just
put
that
template
or
that
handle
template?
Oh
no,
but
I
guess
we
can't.
We
don't
want.
I
guess
it's
in
hamlet.
I
was
thinking.
A
Maybe
we
could
put
in
a
template
script
or
like
and
then
reference
it
from
the
javascript
to
like
render
or
update
or
do
whatever
it
needs
to
do,
but
I'm
realizing
now
that
we'd
still
have
to
do
some
rewriting
of
it,
because
we
can't
like
generate
a
handle
script
on
the
front
of
them.
I'm
just
now
getting
back.
Things
are
coming
to
me.
No.
B
B
To
I
think
there
are
different
different
concerns
here
right.
It's
also
interesting.
Wait
list
item
name,
so
it's
actually
not
even
replacing
the
whole
thing.
It's
just
looking
for
this
one
thing.
That's
called
list
item
name.
We
could
do
it
so
so
yeah,
it's
just
basically
taking
this
first,
oh
wow,.
A
A
It
is
confusing,
but.
B
B
A
A
F
A
B
Right,
that's
that's
what
the
rails
javascript
is
doing
under
the
hood.
Essentially
right,
it
sees.
Oh.
I
have
one
of
these
forms
with
state
with
data
remote,
whatever
I'm
now
going
to
add
an
event
handler
here
and
by
adding
that
event
handler.
You
know,
I
will
then
do
the
thing
and
I
will
execute
whatever
javascript
I
get
back.
B
That's
essentially
what's
happening
right.
To
be
honest,
like
one
of
the
things
that
I
already
would
consider
is
a
win.
If
that
thing
didn't
return
any
javascript,
but
just
return
the
html
and
then
on
the
javascript
side.
We
did
things,
but
it
would
mean
that
we,
you
know
that
basically
moving
changing
this
to
actually
return
the
html
like
hey.
This
is
the
new
user
object
and
then
do
the
thing
in
javascript.
It's
just
just
moving
the
thing
by
one
layer.
A
That's
a
good,
I
think,
that's
a
good
approach.
B
B
Why
is
the
pipeline?
Failing
again,
I
hope
it's
so
you
can
see
exactly
this
is
like.
Oh,
where
do
we
have
the
form
stuff?
There
is
like
no,
the
confirm
it's
essentially
similar
with
the
firm
model
but
form
submit.
B
B
A
Is
this
the
thing
jsx's
yeah
this?
This
is
the
thing
and
I
think
that
form
cement
is
called
like
for
either.
A
Oh,
is
it
it's
one?
Is
it
one
form
wrapping
both
of
those
inputs?
Yes,
okay,
yeah,
so
that
form
submit
is,
is
called
whenever
we
need
to
trigger
one
of
those
things.
A
Yeah
like
on
drop
down
clicked
on
line
20
24,
slash
25.
So
when
we
call
the
form
submit-
and
I
think
I
think
we'll
be-
I
think-
we're
not
gonna
affect
it
too
much.
A
So
here's
here's
the
thing,
though,
like
if
you
go
back
because
I
I
want
us
to
use
our
time
effectively.
Yes,
it's
still
a
little
smelly
to
be
returning.
You
know
this
kind
of
html
from
the
back
end,
because
you
know
the
back
end
technically
has
multiple
clients
than
just
this
one
thing
so
yeah
we're
getting
rid
of
the
javascript,
that's
returning,
which
is
a
big
deal,
but
we
still
have
the
only
reason
we're
doing
this.
Javascript
return
is
because
we
still
have
this
underlying
problem
of
reactivity.
A
For
this
thing,
and
even
if
we
move
it
to
html
or
we
get
rid
of
jquery
or
whatever,
like
that,
underlying
problem
is
still
there,
which
is
hurting
maintainability,
which
jackie
brings
a
good
point.
I
have
no
idea
what's
going
on.
I
I
think
our
time
might
be
best
spent
trying
to
move
this
over
to
view,
even
though
it's
going
to
take
longer
because
there's
going
to
be.
D
B
A
lot
of
effort
will
still
function
the
same
way
using
native
dom
apis,
and
we
could
eventually
get
rid
of
jquery,
because
if
the
viewer
effect
of
this
is
not
done
within
the
next,
you
know
that's
your
point
months.
It
will
still
block
us.
You
know
I.
E
D
E
D
A
Yes,
okay,
gotcha,
that's
a
good
point
and
I
think
yeah
whatever
we
do,
we
should
do
incrementally
and
I
think
yeah
you're
right
ip.
If,
if
it's
a
really
low
hanging
fruit
that
we
can
just
get
rid
of
jquery
here,
if
we
plan
on
removing
it
all
together
later,
that's
yeah
long
term.
A
I
don't
know
if
we
can
do
line
four
without
jquery.
A
F
A
There
is
like
a
replace
node
thing
function
in
vanilla,
js.
Oh.
B
B
Old
node
equals
this
one
yep
oops
yeah,
you
know
that's
right,
old
node
is
this
one,
and
then
we
do
old,
node
parent
here
it
child
and
then
it
would
be.
What
was
it?
Oh,
oh
replace!
A
B
B
So
you're
saying
in
this
one:
oh
god,
where
is
it
now
update
gsm?
I
would
just
do
oh,
but
now
I'm
confused
like
how
is
the
api
of
that
time
ago,
thingy
wait
what
what
you
could
do?
No
look
it's
not.
This
is
like
weird
because
this
is
like
the
second
parameter
of
that
file
is
like
should
be
a
boolean.
A
Don't
do
it,
I
think,
that's
why
that
time
is
changing.
You
know
like
when
it
was
so
many
minutes
ago.
You
really
noticed
it
because
we
would
change
it
like
every
minute,
because
those
times
aren't.
A
B
A
Function
statement
requires
a
name
function
statement.
I
don't
know
why
it's
doing
that.
Oh,
I
think
you
need
to
you
need
to
immediately
invoke
it
like.
I
think.
A
B
Yep
expires
intended,
so
it
does
seem
like
we
don't
even
need
to
update.
B
We
don't
even
need
to
do
the
time
ago
thing.
Oh,
the
tool,
what
I
love
these
states.
If
you
end
up
in
something
like
this.
A
Yeah,
I
I
think
I
think
it's
no
harm
keeping
it,
but
I
see
yeah
you're
one
to
get
rid
of
jquery
completely
here
on
this
page.
We
would
need
to
change
local
time
ago
to
accept
I'm
just
saying:
let's
just
have
it
just
wrap
the
arg
it
takes
in
jquery,
so
they
can
do
that.
B
B
C
B
Think
it's
interesting,
I
will.
I
will
have
a
look,
because
there
are
not
that
many
of
those
right
and
just
replacing
replacing
jquery
in
there
will
actually
help
us.
B
There's
an
epic,
but
we
haven't
created
issues
yet
for
the
individual
jquery
usages,
because
currently
400
files
used
jquery
and
it
felt
like
a
bit
of
an
overkill
to
just
create
400
issues.
But
it's
a
good
point.
It
probably
makes
sense
to
create
you
know
one
for
hey:
let's
remove
jquery
from
the
global
scope
as
a
first
thing.
You
know
what.
A
Do
you
think
of
yeah
there's
we
have
400
files
that
use
it.
What
do
you
think
of
creating
issues
per
like
top
level?
Javascripts
folder
like
saying
oh,
we're
going
to
remove
it
from
javascript's
clusters
and
remove
it
from
javascript.
E
A
These
large
scale
changes
done
because
we
can
include.
We
can
include
tricks
like
this.
So
here's.
How
do
you,
here's,
how
we
can
get
rid
of
replace
with
and
then
a
community
contributor
can
just
get
going?
Yeah!
That's
cool,
yeah,
hey
ip!
If
you're
happy
getting
rid
of
jquery
here,
I'm
I'm
happy
for
you.
B
D
Is
a
hold
on,
I
meant
to
look
for
it.
There
is
it's
on
the
same
area.
It's
in
the
same
area
on
the
same
hammel,
page,
okay,
it'd
be
an
invite
member
yeah.
A
A
A
I'm
I'm
so
glad
you
brought
this
up
in
ide
world.
I
think
it
was
in
the
ide.
No,
it
was
in
approvals.
We
had
a
need
for
using
select
two
in
a
view
app,
so
I
wrapped
yes,
so,
like
you
can
you
can
you
can
wrap
like
vanilla,
js
or
jquery
like
base
components
and
a
view
component?
B
A
Yeah,
it
would
be
in.
Let
me
see
if
I
can
find
the
name
of
it.
I
think
it's
select
two
yeah
yeah
is
this
it.
I
think
this
might
be
it.
A
All
right
give
me
a
quick
second.
I
had
to.
I
had
to
do
this
as
well,
with
the
select
too
yeah
we
have
it.
B
So
if
it's
unmounted
it
just
yes
does
its
thing
and
that
template
is
actually
really
really
tiny
and,
as
I
said,
you
know,
it
has
the
big
benefit
that
we
can
get
rid
of
that
we
can,
you
know,
basically
implement
a
new
approval,
select
that's
completely
based
on
gitlab,
ui
or
whatever,
and
then
swap
out
the
files
and
basically
leave
the
api
to
be
the
same
right.
A
Yeah
so
check
out
this
check
out
this
thing,
jackie
and
you
might
find
there's
another
abstraction
where
we
can
just
put
a
select
two
wrapper
into
its
own
bucket
yeah
into
its
own
component,
because
it
looks
like
I
was
looking
for
something
slick
too
specific,
but
it
looks
like
this
has
a
prover
specific
logic,
but
it's
not
much
so
it
looks
like
we
could
abstract
this
to.
D
A
Yep,
what's
really
nice
is
that
select
two
becomes
an
implementation
detail,
and
that
means
we
can
change
that
implementation
detail
later
on.
The
downside
is
we're
kicking
the
can
down
the
road,
we're
not
gonna,
be
able
to
replace
jquery
until
we
actually
fix
this.
I
mean
this
is
gonna,
make
it
easier
for
us
definitely.
B
If
I'm
still
here
the
thing
with
select
2
and
that's
what
I
mentioned
before
is
like
eventually,
you
know
it's
fine,
that's
in
implementation
detail,
and
but
if
we
remove
it
from
the
global
scope,
we
are
able
to
have
people
not
suffer
through
loading
jquery
and
select
two
on
every
page
right.
B
So
this
is
like
nice
right,
even
if
we
have
remove
jake,
all
jqueries
and
select
twos
and
this
one
stays.
That
then
means
that,
just
on
the
pages
where
the
approval
select
is
used,
it
will
be
loaded
right.
But
right
now
because
we
have
like
main.js,
we
do
import
jquery
and
then
you
know
window.jquery
and
window.dollar
in
the
global
scope
to
do
remove.
A
B
A
A
This
is
a
very
good
point
and
if
not,
I
would
suggest
doing
that,
because
the
scope
of
remove
all
of
jquery
is
so
large.
That's
a
little
daunting,
but
maybe
just
global
scope.
Jquery
we
can.
We
can
really
focus
on
that
and
be
able
to
like
lower
issues.
B
There
are
multiple
efforts:
the
the
global
scope,
one
is
probably
a
good
one,
because
I
think
the
only
the
only
global
scope
that
we
have
is
actually
that
stuff
like.
I
think
I
need
to
check.
That's
a
good
call
out.
I
will
make
sure
to
create
a
few
issues
and
I
will
present
them
in
the
next
front-end
call.
A
Cool
yeah
that'd
be
awesome
if
you
want,
if
you
create
it,
and
if
you
want
me
to
create
like
the
underlying
issues
under
the
epic
like,
I
could
do
that
if
you'd
wanna.
However,
just
let
me
know
if
there's
anything,
I
can
do
to
help.
A
Thanks
yeah
thanks.
Well,
this
is
cool.
This
was
fun.
This
was
a
good
conversation
and,
and
it
was
good
exercise
one
little.
B
Yeah,
I
don't
know
it's,
it's
like
it's
also
something
that
we
should
probably
forbid
in
general,
like
we
often
add
stuff
to
the
global
scope,
so,
for
example,
for
example,
in
these
utils
earlier
we
have
these
common
utils
and
earlier
this
year
I
found
like
because
we
add
some
of
them
also
to
the
window.
I
believe-
oh
yes,
yep.
Obviously
it's
somewhere
else.
I
know
what
you're
talking
about
yeah,
so
we
have
like
utils
that
we
add
to
the
global
scope,
and
then
you
know
having
a
look
at
it.
B
We
found
out
hey,
they
are
put
in
the
global
scope
and
it's
basically
their
only
usage
of
it
and
other
than
that.
They're
never
used
again,
and
so
it's
like
oh
good,
they're,
never
used
again.
Maybe
we
can
just
delete
them
and
we
were
able
to
delete
a
bunch
of
helper
functions
that
nobody
used
right.
B
A
Anyway,
that's
a
good
point:
yeah!
Oh
yes,
there's
another
bad
boy,
no
anime,
disable
that
rule
yeah.
That's
a
good
point!
I
got
globals
and
singletons
and
it
pains
me
I'm
actually
gonna
do
this
today,
you
brought
it
up.
We
have
like
a
design
patterns
page
in
our
front
end
guide
and
the
only
design
pattern
in
there
is
singleton.
A
I'm
gonna
just
delete
all
of
that
yeah.
This
is
a
good.
This
is
a
good
conversation.
This
is
this
was
really
helpful.
I'm
going
to
hop
off
ip
jackie,
it
was
great
seeing
you
all
and
and
thanks
for
driving.