Update the rendering guide to match the current behavior

In the latest security releases render with a trailing slash no more call render :file. Also add a note about the security implications of using it with user parameters.

Update the rendering guide to match the current behavior
In the latest security releases render with a trailing slash no more call render :file. Also add a note about the security implications of using it with user parameters.
403c57ae · Rafael Mendonça França · ddf4c953 · 403c57ae
隐藏空白更改
内联并排

Showing with 9 addition and 10 deletion

guides/source/layouts_and_rendering.md guides/source/layouts_and_rendering.md +9 -10

未找到文件。
--- a/guides/source/layouts_and_rendering.md
+++ b/guides/source/layouts_and_rendering.md
@@ -149,23 +149,22 @@ render template: "products/show"

 #### Rendering an Arbitrary File

-The `render` method can also use a view that's entirely outside of your application (perhaps you're sharing views between two Rails applications):
-
-```ruby
-render "/u/apps/warehouse_app/current/app/views/products/show"
-```
-
-Rails determines that this is a file render because of the leading slash character. To be explicit, you can use the `:file` option (which was required on Rails 2.2 and earlier):
+The `render` method can also use a view that's entirely outside of your application:

 ```ruby
 render file: "/u/apps/warehouse_app/current/app/views/products/show"
 ```

-The `:file` option takes an absolute file-system path. Of course, you need to have rights to the view that you're using to render the content.
+The `:file` option takes an absolute file-system path. Of course, you need to have rights
+to the view that you're using to render the content.
+
+NOTE: Using the `:file` option in combination with users input can lead to security problems
+since an attacker could use this action to access security sensitive files in your file system.

 NOTE: By default, the file is rendered using the current layout.

-TIP: If you're running Rails on Microsoft Windows, you should use the `:file` option to render a file, because Windows filenames do not have the same format as Unix filenames.
+TIP: If you're running Rails on Microsoft Windows, you should use the `:file` option to
+render a file, because Windows filenames do not have the same format as Unix filenames.

 #### Wrapping it up

@@ -238,7 +237,7 @@ TIP: This is useful when you're rendering a small snippet of HTML code.
 However, you might want to consider moving it to a template file if the markup
 is complex.

-NOTE: When using `html:` option, HTML entities will be escaped if the string is not marked as HTML safe by using `html_safe` method.  
+NOTE: When using `html:` option, HTML entities will be escaped if the string is not marked as HTML safe by using `html_safe` method.

 #### Rendering JSON