diff options
| author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2016-03-05 20:07:27 -0300 |
|---|---|---|
| committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2016-03-05 20:07:27 -0300 |
| commit | 403c57aec052d60431dbae57eedae471d548dd01 (patch) | |
| tree | 4ee386f033531cadc3d1f3fe5c5c8d576025d7ad /guides | |
| parent | ddf4c953ae8d10489e0bfd6008bd76395f6e1267 (diff) | |
| download | rails-403c57aec052d60431dbae57eedae471d548dd01.tar.gz rails-403c57aec052d60431dbae57eedae471d548dd01.tar.bz2 rails-403c57aec052d60431dbae57eedae471d548dd01.zip | |
Update the rendering guide to match the current behavior
In the latest security releases render with a trailing slash no more call
render :file.
Also add a note about the security implications of using it with user
parameters.
Diffstat (limited to 'guides')
| -rw-r--r-- | guides/source/layouts_and_rendering.md | 19 |
1 files changed, 9 insertions, 10 deletions
diff --git a/guides/source/layouts_and_rendering.md b/guides/source/layouts_and_rendering.md index 614ca4dbe1..2722789c49 100644 --- a/guides/source/layouts_and_rendering.md +++ b/guides/source/layouts_and_rendering.md @@ -149,23 +149,22 @@ render template: "products/show" #### Rendering an Arbitrary File -The `render` method can also use a view that's entirely outside of your application (perhaps you're sharing views between two Rails applications): - -```ruby -render "/u/apps/warehouse_app/current/app/views/products/show" -``` - -Rails determines that this is a file render because of the leading slash character. To be explicit, you can use the `:file` option (which was required on Rails 2.2 and earlier): +The `render` method can also use a view that's entirely outside of your application: ```ruby render file: "/u/apps/warehouse_app/current/app/views/products/show" ``` -The `:file` option takes an absolute file-system path. Of course, you need to have rights to the view that you're using to render the content. +The `:file` option takes an absolute file-system path. Of course, you need to have rights +to the view that you're using to render the content. + +NOTE: Using the `:file` option in combination with users input can lead to security problems +since an attacker could use this action to access security sensitive files in your file system. NOTE: By default, the file is rendered using the current layout. -TIP: If you're running Rails on Microsoft Windows, you should use the `:file` option to render a file, because Windows filenames do not have the same format as Unix filenames. +TIP: If you're running Rails on Microsoft Windows, you should use the `:file` option to +render a file, because Windows filenames do not have the same format as Unix filenames. #### Wrapping it up @@ -238,7 +237,7 @@ TIP: This is useful when you're rendering a small snippet of HTML code. However, you might want to consider moving it to a template file if the markup is complex. -NOTE: When using `html:` option, HTML entities will be escaped if the string is not marked as HTML safe by using `html_safe` method. +NOTE: When using `html:` option, HTML entities will be escaped if the string is not marked as HTML safe by using `html_safe` method. #### Rendering JSON |