instance method
url_from
Ruby on Rails 8.0.4
Since v7.0.10Signature
url_from(location)Verifies the passed location is an internal URL that’s safe to redirect to and returns it, or nil if not. Useful to wrap a params provided redirect URL and fall back to an alternate URL to redirect to:
redirect_to url_from(params[:redirect_url]) || root_url
The location is considered internal, and safe, if it’s on the same host as request.host:
# If request.host is example.com: url_from("https://example.com/profile") # => "https://example.com/profile" url_from("http://example.com/profile") # => "http://example.com/profile" url_from("http://evil.com/profile") # => nil
Subdomains are considered part of the host:
# If request.host is on https://example.com or https://app.example.com, you'd get: url_from("https://dev.example.com/profile") # => nil
NOTE: there’s a similarity with url_for, which generates an internal URL from various options from within the app, e.g. url_for(@post). However, #url_from is meant to take an external parameter to verify as in url_from(params[:redirect_url]).
Parameters
-
locationreq
Source
# File actionpack/lib/action_controller/metal/redirecting.rb, line 203
def url_from(location)
location = location.presence
location if location && _url_host_allowed?(location)
end
Defined in actionpack/lib/action_controller/metal/redirecting.rb line 203
· View on GitHub
· Improve this page
· Find usages on GitHub
Defined in ActionController::Redirecting