TEST_CODEOWNERS/rails
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

[ci skip] Update documenation formatting to link to methods/constants and fix code fences

Browse Source
This commit is contained in:
Kasper Timm Hansen 2021-11-06 03:32:21 +01:00
parent 1000465d85
commit 754c0f8a15
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
actionpack/lib/action_controller/metal/redirecting.rb
View File

@ -66,19 +66,19 @@ class UnsafeRedirectError < StandardError; end
# === Open Redirect protection
#
# By default, Rails protects against redirecting to external hosts for your app's safety, so called open redirects.
# Note: this was a new default in Rails 7.0, after upgrading opt-in by uncommenting the line with `raise_on_open_redirects` in `config/initializers/new_framework_defaults_7_0.rb`
# Note: this was a new default in Rails 7.0, after upgrading opt-in by uncommenting the line with #raise_on_open_redirects in <tt>config/initializers/new_framework_defaults_7_0.rb</tt>
#
# Here redirect_to automatically validates the potentially-unsafe URL:
# Here #redirect_to automatically validates the potentially-unsafe URL:
#
# redirect_to params[:redirect_url]
#
# Raises <tt>ActionController::Redirecting::UnsafeRedirectError</tt> in the case of an unsafe redirect.
# Raises #UnsafeRedirectError in the case of an unsafe redirect.
#
# To allow any external redirects pass `allow_other_host: true`, though using a user-provided param in that case is unsafe.
#
# redirect_to "https://rubyonrails.org", allow_other_host: true
#
# See <tt>url_from</tt> for more information on what an internal and safe URL is, or how to fall back to an alternate redirect URL in the unsafe case.
# See #url_from for more information on what an internal and safe URL is, or how to fall back to an alternate redirect URL in the unsafe case.
def redirect_to(options = {}, response_options = {})
raise ActionControllerError.new("Cannot redirect to nil!") unless options
raise AbstractController::DoubleRenderError if response_body
@ -152,7 +152,7 @@ def _compute_redirect_to_location(request, options) # :nodoc:
#
# redirect_to url_from(params[:redirect_url]) || root_url
#
# The +location+ is considered internal, and safe, if it's on the same host as the <tt>request.host</tt>:
# The +location+ is considered internal, and safe, if it's on the same host as <tt>request.host</tt>:
#
# # If request.host is example.com:
# url_from("https://example.com/profile") # => "https://example.com/profile"
@ -164,8 +164,8 @@ def _compute_redirect_to_location(request, options) # :nodoc:
# # If request.host is on https://example.com or https://app.example.com, you'd get:
# url_from("https://dev.example.com/profile") # => nil
#
# NOTE: there's a similarity with <tt>url_for</tt>, which generates an internal URL from various options from within the app, e.g. `url_for(@post)`.
# However, <tt>url_from</tt> is meant to take an external parameter to verify as in `url_from(params[:redirect_url])`.
# NOTE: there's a similarity with #url_for, which generates an internal URL from various options from within the app, e.g. <tt>url_for(@post)</tt>.
# However, #url_from is meant to take an external parameter to verify as in <tt>url_from(params[:redirect_url])</tt>.
def url_from(location)
location = location.presence
location if location && _url_host_allowed?(location)