From 2ba6537f524dfcdd761edbe72f925c26588b4f0e Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Mon, 21 Mar 2016 09:24:29 +0100
Subject: [PATCH] Escape PuSH challenge and change subscriptions and salmon
 APIs to text/plain

---
 app/controllers/api/salmon_controller.rb        | 1 +
 app/controllers/api/subscriptions_controller.rb | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/controllers/api/salmon_controller.rb b/app/controllers/api/salmon_controller.rb
index 1df989700..b15aefee9 100644
--- a/app/controllers/api/salmon_controller.rb
+++ b/app/controllers/api/salmon_controller.rb
@@ -1,5 +1,6 @@
 class Api::SalmonController < ApiController
   before_action :set_account
+  respond_to :txt
 
   def update
     ProcessInteractionService.new.(request.body.read, @account)
diff --git a/app/controllers/api/subscriptions_controller.rb b/app/controllers/api/subscriptions_controller.rb
index 6ae038a36..91b987ce4 100644
--- a/app/controllers/api/subscriptions_controller.rb
+++ b/app/controllers/api/subscriptions_controller.rb
@@ -1,9 +1,10 @@
 class Api::SubscriptionsController < ApiController
   before_action :set_account
+  respond_to :txt
 
   def show
     if @account.subscription(api_subscription_url(@account.id)).valid?(params['hub.topic'], params['hub.verify_token'])
-      render text: params['hub.challenge'], status: 200
+      render text: HTMLEntities.new.encode(params['hub.challenge']), status: 200
     else
       render nothing: true, status: 404
     end