file_field在我的Rails表单中不粘
[英]file_field is not sticky in my Rails form
问题描述
I have a pretty standard Rails form: 
我有一个非常标准的Rails表单:
<div>
<h1>Create a New Listing</h1>
<%- form_for @listing, :html => {:multipart => true} do |f| -%>
<div><%= f.label :title, "Title:"%> <%= f.text_field :title %></div>
<div>
<%= f.label :image, "Image:" %> <%= f.file_field :image
</div>
<div>
<%= f.label :sound, "Sound Clip:"%> <%= f.file_field :sound %><br />
</div>
<div class="submit"><%= f.submit 'Post Listing' %></div>
<%- end -%>
</div>
When a user chooses a file, but the form fails for validation purposes, he must always re-select the file. 当用户选择文件但表单因验证失败时,他必须始终重新选择该文件。 It is not sticky. 它不粘。 Any suggestion on how to fix this? 有关如何解决此问题的任何建议?
Thanks! 谢谢!
1 个解决方案
解决方案1
6 已采纳 2010-06-10 04:01:29
You can't make the file field sticky, I think. 我认为你不能让文件字段变粘。 Even if Rails provides the initial value, most browsers will just ignore it (or otherwise, some smart-aleck could set the default file to /etc/passwd , and if you don't pay attention, next thing you know your box is rooted. 即使Rails提供初始值,大多数浏览器也会忽略它(否则,某些smart-aleck可能会将默认文件设置为/etc/passwd ,如果你不注意,接下来你知道你的盒子是root的。
The best you can do that I can think of is set a flag that says a file has already been uploaded, so if the user does not select another one, use the one already sent in the last request. 我能想到的最好的办法是设置一个标志,说明文件已经上传,所以如果用户没有选择另一个文件,请使用上次请求中已经发送的文件。
UPDATE: You'd be surprised how many people have no security skills whatsoever. 更新:你会惊讶于有多少人没有任何安全技能。 I've known people to use a browser as root . 我认识人们以root身份使用浏览器。 However, "why" is not exactly an issue - the important point I was trying to make is just that it's not Rails's fault, the problem most likely lies in the browser behaviour. 然而,“为什么”并不是一个问题 - 我试图做的重点只是它不是Rails的错,问题很可能在于浏览器的行为。
You can read an article that says it better than I can... 你可以阅读一篇文章说它比我更好...
UPDATE 2: "Your box is rooted" should say "the user's box is rooted". 更新2: “您的盒子已植根”应该说“用户的盒子已植根”。 The scenario I describe is this: User submits a file innocent.txt and a CAPTCHA. 我描述的场景是:用户提交文件innocent.txt和CAPTCHA。 Malicious server responds CAPTCHA is wrong, enter it again, and covertly changes the file from innocent.txt to ~/.ssh/id_rsa . 恶意服务器响应CAPTCHA错误,再次输入,并将文件从innocent.txt隐蔽地更改为~/.ssh/id_rsa 。 User does not look at the file field (he already put in the correct value there), so just redoes the CAPTCHA and pushes submit. 用户不查看文件字段(他已经在那里输入了正确的值),所以只需重做CAPTCHA并推送提交。 Now the server has the user's private SSH key. 现在服务器具有用户的私有SSH密钥。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.