1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00

Update the rendering guide to match the current behavior

In the latest security releases render with a trailing slash no more call
render :file.

Also add a note about the security implications of using it with user
parameters.
This commit is contained in:
Rafael Mendonça França 2016-03-05 20:07:27 -03:00
parent ddf4c953ae
commit 403c57aec0

View file

@ -149,23 +149,22 @@ render template: "products/show"
#### Rendering an Arbitrary File
The `render` method can also use a view that's entirely outside of your application (perhaps you're sharing views between two Rails applications):
```ruby
render "/u/apps/warehouse_app/current/app/views/products/show"
```
Rails determines that this is a file render because of the leading slash character. To be explicit, you can use the `:file` option (which was required on Rails 2.2 and earlier):
The `render` method can also use a view that's entirely outside of your application:
```ruby
render file: "/u/apps/warehouse_app/current/app/views/products/show"
```
The `:file` option takes an absolute file-system path. Of course, you need to have rights to the view that you're using to render the content.
The `:file` option takes an absolute file-system path. Of course, you need to have rights
to the view that you're using to render the content.
NOTE: Using the `:file` option in combination with users input can lead to security problems
since an attacker could use this action to access security sensitive files in your file system.
NOTE: By default, the file is rendered using the current layout.
TIP: If you're running Rails on Microsoft Windows, you should use the `:file` option to render a file, because Windows filenames do not have the same format as Unix filenames.
TIP: If you're running Rails on Microsoft Windows, you should use the `:file` option to
render a file, because Windows filenames do not have the same format as Unix filenames.
#### Wrapping it up
@ -238,7 +237,7 @@ TIP: This is useful when you're rendering a small snippet of HTML code.
However, you might want to consider moving it to a template file if the markup
is complex.
NOTE: When using `html:` option, HTML entities will be escaped if the string is not marked as HTML safe by using `html_safe` method.
NOTE: When using `html:` option, HTML entities will be escaped if the string is not marked as HTML safe by using `html_safe` method.
#### Rendering JSON