kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

Update guide for render file:

Browse source 
Most of this section was written from the time that render file: was the
default, before CVE-2016-0752.

This updates the guide to the Rails 6 `render file:` behaviour, moves it
to a more appropriate part of the file.

[ci skip]
This commit is contained in:
John Hawthorn 2019-07-13 21:13:42 -07:00
parent 85fa9b6549
commit 9fe5aa32a7
1 changed files with 17 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
guides/source/layouts_and_rendering.md
View file

@ -149,25 +149,6 @@ Rails knows that this view belongs to a different controller because of the embe
render template: "products/show"
```
#### Rendering an Arbitrary File
The `render` method can also use a view that's entirely outside of your application:
```ruby
render file: "/u/apps/warehouse_app/current/app/views/products/show"
```
The `:file` option takes an absolute file-system path. Of course, you need to have rights
to the view that you're using to render the content.
NOTE: Using the `:file` option in combination with users input can lead to security problems
since an attacker could use this action to access security sensitive files in your file system.
NOTE: By default, the file is rendered using the current layout.
TIP: If you're running Rails on Microsoft Windows, you should use the `:file` option to
render a file, because Windows filenames do not have the same format as Unix filenames.
#### Wrapping it up
The above three ways of rendering (rendering another template within the controller, rendering a template within another controller, and rendering an arbitrary file on the file system) are actually variants of the same action.
@ -279,6 +260,23 @@ time.
NOTE: Unless overridden, your response returned from this render option will be
`text/plain`, as that is the default content type of Action Dispatch response.
#### Rendering raw file
Rails can render a raw file from an absolute path. This is useful for
conditionally rendering static files like error pages.
```ruby
render file: "#{Rails.root}/public/404.html", layout: false
```
This renders the raw file (it doesn't support ERB or other handlers). By
default it is rendered within the current layout.
WARNING: Using the `:file` option in combination with users input can lead to security problems
since an attacker could use this action to access security sensitive files in your file system.
TIP: `send_file` is often a faster and better option if a layout isn't required.
#### Options for `render`
Calls to the `render` method generally accept five options: