d90efa15e4
When requesting files like `/hackattempt.js`, the pages controller was responding with 404 status code. However, since the request was considered a JavaScript request (because of the `.js` extension), the response was also considered to be a JavaScript one, and since the request wasn't an AJAX request, our protection from forgery was preventing a potential security issue by raising an InvalidCrossOriginRequest exception. By setting HTML as content type, we correctly respond with a 404 status code. More info: https://die-antwort.eu/techblog/2018-08-avoid-invalid-cross-origin-request-with-catch-all-route/
21 lines
552 B
Ruby
21 lines
552 B
Ruby
class PagesController < ApplicationController
|
|
include FeatureFlags
|
|
skip_authorization_check
|
|
|
|
feature_flag :help_page, if: lambda { params[:id] == "help/index" }
|
|
|
|
def show
|
|
@custom_page = SiteCustomization::Page.published.find_by(slug: params[:id])
|
|
@banners = Banner.in_section("help_page").with_active
|
|
|
|
if @custom_page.present?
|
|
@cards = @custom_page.cards
|
|
render action: :custom_page
|
|
else
|
|
render action: params[:id]
|
|
end
|
|
rescue ActionView::MissingTemplate
|
|
head 404, content_type: "text/html"
|
|
end
|
|
end
|