mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Update the rendering guide to match the current behavior
In the latest security releases render with a trailing slash no more call render :file. Also add a note about the security implications of using it with user parameters.
This commit is contained in:
parent
ddf4c953ae
commit
403c57aec0
1 changed files with 9 additions and 10 deletions
|
@ -149,23 +149,22 @@ render template: "products/show"
|
||||||
|
|
||||||
#### Rendering an Arbitrary File
|
#### Rendering an Arbitrary File
|
||||||
|
|
||||||
The `render` method can also use a view that's entirely outside of your application (perhaps you're sharing views between two Rails applications):
|
The `render` method can also use a view that's entirely outside of your application:
|
||||||
|
|
||||||
```ruby
|
|
||||||
render "/u/apps/warehouse_app/current/app/views/products/show"
|
|
||||||
```
|
|
||||||
|
|
||||||
Rails determines that this is a file render because of the leading slash character. To be explicit, you can use the `:file` option (which was required on Rails 2.2 and earlier):
|
|
||||||
|
|
||||||
```ruby
|
```ruby
|
||||||
render file: "/u/apps/warehouse_app/current/app/views/products/show"
|
render file: "/u/apps/warehouse_app/current/app/views/products/show"
|
||||||
```
|
```
|
||||||
|
|
||||||
The `:file` option takes an absolute file-system path. Of course, you need to have rights to the view that you're using to render the content.
|
The `:file` option takes an absolute file-system path. Of course, you need to have rights
|
||||||
|
to the view that you're using to render the content.
|
||||||
|
|
||||||
|
NOTE: Using the `:file` option in combination with users input can lead to security problems
|
||||||
|
since an attacker could use this action to access security sensitive files in your file system.
|
||||||
|
|
||||||
NOTE: By default, the file is rendered using the current layout.
|
NOTE: By default, the file is rendered using the current layout.
|
||||||
|
|
||||||
TIP: If you're running Rails on Microsoft Windows, you should use the `:file` option to render a file, because Windows filenames do not have the same format as Unix filenames.
|
TIP: If you're running Rails on Microsoft Windows, you should use the `:file` option to
|
||||||
|
render a file, because Windows filenames do not have the same format as Unix filenames.
|
||||||
|
|
||||||
#### Wrapping it up
|
#### Wrapping it up
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue