SECURITY: prefer render plain/html to render text where possible
This commit is contained in:
parent
e49f3a408e
commit
0013a23dc1
|
@ -14,7 +14,7 @@ class Admin::DiagnosticsController < Admin::AdminController
|
|||
|
||||
text << "\n\nCOUNT #{statements.count}"
|
||||
|
||||
render text: text, content_type: Mime::TEXT
|
||||
render plain: text
|
||||
end
|
||||
|
||||
def memory_stats
|
||||
|
@ -33,7 +33,7 @@ class Admin::DiagnosticsController < Admin::AdminController
|
|||
text = MemoryDiagnostics.memory_report(class_report: params.key?(:full))
|
||||
end
|
||||
|
||||
render text: text, content_type: Mime::TEXT
|
||||
render plain: text
|
||||
end
|
||||
|
||||
def dump_heap
|
||||
|
@ -46,9 +46,9 @@ class Admin::DiagnosticsController < Admin::AdminController
|
|||
ObjectSpace.dump_all(:output => io)
|
||||
io.close
|
||||
|
||||
render text: "HEAP DUMP:\n#{io.path}", content_type: Mime::TEXT
|
||||
render plain: "HEAP DUMP:\n#{io.path}"
|
||||
rescue
|
||||
render text: "HEAP DUMP:\nnot supported", content_type: Mime::TEXT
|
||||
render plain: "HEAP DUMP:\nnot supported"
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -85,7 +85,7 @@ class Admin::EmailController < Admin::AdminController
|
|||
def handle_mail
|
||||
params.require(:email)
|
||||
Email::Processor.process!(params[:email])
|
||||
render text: "email was processed"
|
||||
render plain: "email was processed"
|
||||
end
|
||||
|
||||
def raw_email
|
||||
|
|
|
@ -29,7 +29,7 @@ class ApplicationController < ActionController::Base
|
|||
unless is_api? || is_user_api?
|
||||
super
|
||||
clear_current_user
|
||||
render text: "[\"BAD CSRF\"]", status: 403
|
||||
render plain: "[\"BAD CSRF\"]", status: 403
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -159,7 +159,7 @@ class ApplicationController < ActionController::Base
|
|||
|
||||
render_json_error I18n.t(type), type: type, status: status_code
|
||||
else
|
||||
render text: build_not_found_page(status_code, include_ember ? 'application' : 'no_ember')
|
||||
render html: build_not_found_page(status_code, include_ember ? 'application' : 'no_ember')
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ class ExceptionsController < ApplicationController
|
|||
# Don't show google search if it's embedded in the Ember app
|
||||
@hide_google = true
|
||||
|
||||
render text: build_not_found_page(200, false)
|
||||
render html: build_not_found_page(200, false)
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -6,9 +6,9 @@ class ForumsController < ApplicationController
|
|||
|
||||
def status
|
||||
if $shutdown
|
||||
render text: 'shutting down', status: 500, content_type: 'text/plain'
|
||||
render plain: 'shutting down', status: 500
|
||||
else
|
||||
render text: 'ok', content_type: 'text/plain'
|
||||
render plain: 'ok'
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ class OneboxController < ApplicationController
|
|||
preview = Oneboxer.cached_preview(params[:url])
|
||||
preview.strip! if preview.present?
|
||||
|
||||
return render(text: preview) if preview.present?
|
||||
return render(plain: preview) if preview.present?
|
||||
|
||||
# only 1 outgoing preview per user
|
||||
return render(nothing: true, status: 429) if Oneboxer.is_previewing?(params[:user_id])
|
||||
|
@ -26,7 +26,7 @@ class OneboxController < ApplicationController
|
|||
if preview.blank?
|
||||
render nothing: true, status: 404
|
||||
else
|
||||
render text: preview
|
||||
render plain: preview
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ class PostsController < ApplicationController
|
|||
def markdown_num
|
||||
if params[:revision].present?
|
||||
post_revision = find_post_revision_from_topic_id
|
||||
render text: post_revision.modifications[:raw].last, content_type: 'text/plain'
|
||||
render plain: post_revision.modifications[:raw].last
|
||||
else
|
||||
markdown Post.find_by(topic_id: params[:topic_id].to_i, post_number: (params[:post_number] || 1).to_i)
|
||||
end
|
||||
|
@ -27,7 +27,7 @@ class PostsController < ApplicationController
|
|||
|
||||
def markdown(post)
|
||||
if post && guardian.can_see?(post)
|
||||
render text: post.raw, content_type: 'text/plain'
|
||||
render plain: post.raw
|
||||
else
|
||||
raise Discourse::NotFound
|
||||
end
|
||||
|
|
|
@ -48,7 +48,7 @@ class SessionController < ApplicationController
|
|||
sso.moderator = current_user.moderator?
|
||||
|
||||
if sso.return_sso_url.blank?
|
||||
render text: "return_sso_url is blank, it must be provided", status: 400
|
||||
render plain: "return_sso_url is blank, it must be provided", status: 400
|
||||
return
|
||||
end
|
||||
|
||||
|
|
|
@ -43,7 +43,7 @@ class StaticController < ApplicationController
|
|||
end
|
||||
|
||||
if I18n.exists?("static.#{@page}")
|
||||
render text: I18n.t("static.#{@page}"), layout: !request.xhr?, formats: [:html]
|
||||
render html: I18n.t("static.#{@page}"), layout: !request.xhr?, formats: [:html]
|
||||
return
|
||||
end
|
||||
|
||||
|
@ -163,7 +163,7 @@ class StaticController < ApplicationController
|
|||
rescue Errno::ENOENT
|
||||
expires_in 1.second, public: true, must_revalidate: false
|
||||
|
||||
render text: "can not find #{params[:path]}", status: 404
|
||||
render plain: "can not find #{params[:path]}", status: 404
|
||||
return
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue