kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

Update guide for render file:

Browse source 
Most of this section was written from the time that render file: was the
default, before CVE-2016-0752.

This updates the guide to the Rails 6 `render file:` behaviour, moves it
to a more appropriate part of the file.

[ci skip]
This commit is contained in:
John Hawthorn 2019-07-13 21:13:42 -07:00
parent 85fa9b6549
commit 9fe5aa32a7
1 changed files with 17 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
guides/source/layouts_and_rendering.md
View file

@ -149,25 +149,6 @@ Rails knows that this view belongs to a different controller because of the embe
render template: "products/show" render template: "products/show"
``` ```
#### Rendering an Arbitrary File
The `render` method can also use a view that's entirely outside of your application:
```ruby
render file: "/u/apps/warehouse_app/current/app/views/products/show"
```
The `:file` option takes an absolute file-system path. Of course, you need to have rights
to the view that you're using to render the content.
NOTE: Using the `:file` option in combination with users input can lead to security problems
since an attacker could use this action to access security sensitive files in your file system.
NOTE: By default, the file is rendered using the current layout.
TIP: If you're running Rails on Microsoft Windows, you should use the `:file` option to
render a file, because Windows filenames do not have the same format as Unix filenames.
#### Wrapping it up #### Wrapping it up
The above three ways of rendering (rendering another template within the controller, rendering a template within another controller, and rendering an arbitrary file on the file system) are actually variants of the same action. The above three ways of rendering (rendering another template within the controller, rendering a template within another controller, and rendering an arbitrary file on the file system) are actually variants of the same action.
@ -279,6 +260,23 @@ time.
NOTE: Unless overridden, your response returned from this render option will be NOTE: Unless overridden, your response returned from this render option will be
`text/plain`, as that is the default content type of Action Dispatch response. `text/plain`, as that is the default content type of Action Dispatch response.
#### Rendering raw file
Rails can render a raw file from an absolute path. This is useful for
conditionally rendering static files like error pages.
```ruby
render file: "#{Rails.root}/public/404.html", layout: false
```
This renders the raw file (it doesn't support ERB or other handlers). By
default it is rendered within the current layout.
WARNING: Using the `:file` option in combination with users input can lead to security problems
since an attacker could use this action to access security sensitive files in your file system.
TIP: `send_file` is often a faster and better option if a layout isn't required.
#### Options for `render` #### Options for `render`
Calls to the `render` method generally accept five options: Calls to the `render` method generally accept five options: