From ede0f8c62d825089e6676c2af7a035bd8ca94b01 Mon Sep 17 00:00:00 2001
From: Prem Sichanugrist <s@sikac.hu>
Date: Tue, 18 Feb 2014 09:30:43 -0500
Subject: Update upgrading guide regarding `render :text`

---
 guides/source/upgrading_ruby_on_rails.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'guides/source/upgrading_ruby_on_rails.md')

diff --git a/guides/source/upgrading_ruby_on_rails.md b/guides/source/upgrading_ruby_on_rails.md
index 76722c9ea9..a8b7c9d492 100644
--- a/guides/source/upgrading_ruby_on_rails.md
+++ b/guides/source/upgrading_ruby_on_rails.md
@@ -329,6 +329,25 @@ User.inactive
 # SELECT "users".* FROM "users" WHERE "users"."state" = 'inactive'
 ```
 
+### Rendering content from string
+
+Rails 4.1 introduces `:plain`, `:html`, and `:body` options to `render`. Those
+options are now the preferred way to render string-based content, as it allows
+you to specify which content type you want the response sent as.
+
+* `render :plain` will set the content type to `text/plain`
+* `render :html` will set the content type to `text/html`
+* `render :body` will *not* set the content type header.
+
+From the security standpoint, if you don't expect to have any markup in your
+response body, you should be using `render :plain` as most browsers will escape
+unsafe content in the response for you.
+
+We will be deprecating the use of `render :text` in a future version. So please
+start using the more precise `:plain:`, `:html`, and `:body` options instead.
+Using `render :text` may pose a security risk, as the content is sent as
+`text/html`.
+
 Upgrading from Rails 3.2 to Rails 4.0
 -------------------------------------
 
-- 
cgit v1.2.3