Rails 2: Refuse response formats application-wide

If you regularly get ActionView::MissingTemplate exceptions, maybe some bot visits your site requesting silly formats like:

http://www.rails-app.com/makandra.html-username-2000 # => Rails tries to retrieve 'makandra' with format 'html-username-2000'

Just restrict accepted format parameters for the whole application like this:

class ApplicationController < ActionController::Base

  before_filter :refuse_silly_formats

  private

  def refuse_silly_formats
    acceptable_formats = %w[html xml pdf]

    if params[:format]
      unless acceptable_formats.include? params[:format].downcase
        Rails.logger.error "Format not supported: #{params[:format]}"
        head interpret_status(:not_acceptable)
      end
    end
  end

end

Note: request.format more reliably tells the format, but includes Rails-required formats such as application/x-www-form-urlencoded (which we must not refuse). For our purposes, getting the format from the params is exactly what we need. You may also skip that before_filter for a certain controller/action.

Kudos to Peter Wagenet.

Dominik Schöler over 7 years ago
This website uses short-lived cookies to improve usability.
Accept or learn more