John Poulin forced-request

## application.html.erb
<!DOCTYPE html>
<html>
<head>
  <title>TwitterBootstrapPoc</title>
  <%= stylesheet_link_tag    "application", :media => "all" %>
  <%= javascript_include_tag "application" %>
  <%= csrf_meta_tags %>
</head>
<body>
<div class="twitter-flash">

## user_controller.rb
class UserController < ApplicationController
	def show
		flash[:error] = "User ID: #{params[:id]}did not exist"
	end
end

## application.html.erb
<body>
<% flash.each do |name, msg| -%>
      <%= content_tag :div, msg, class: name %>
    <% end -%>

<%= yield %>

</body>

## bootstrap_flash_helper.rb
module BootstrapFlashHelperPatched
  ALERT_TYPES = [:error, :info, :success, :warning] unless const_defined?(:ALERT_TYPES)

  def bootstrap_flash_patched
    flash_messages = []
    flash.each do |type, message|
      # Skip empty messages, e.g. for devise messages set to nothing in a locale file.
      next if message.blank?

      type = type.to_sym

## bootstrap_flash_helper.rb
module BootstrapFlashHelperPatched
  ALERT_TYPES = [:error, :info, :success, :warning] unless const_defined?(:ALERT_TYPES)

  def bootstrap_flash_patched
    flash_messages = []
    flash.each do |type, message|
      # Skip empty messages, e.g. for devise messages set to nothing in a locale file.
      next if message.blank?

      type = type.to_sym

## all-encodings-of-gt
>
%3E
&gt
&gt;
&GT
&GT;
&#62
&#062
&#0062
&#00062

## application_controller.rb
class ApplicationController < ActionController::Base
  ensure_authorization_performed :except => [:index, :search], :if => :auditing_security?, :unless => :devise_controller?

  private
  def auditing_security?
    Rails.env != 'production'
  end

  # Send 'em back where they came from with a slap on the wrist
  def authority_forbidden(error)

## gist:653acca0adb0e61554f6
def verify_authenticity_token
    unless verified_request?
      logger.warn "WARNING: Can't verify CSRF token authenticity" if logger
      handle_unverified_request
    end
end

## gist:7656816db64f46689ce8
def reset_session
  session.destroy if session && session.respond_to?(:destroy)
  self.session = {}
  @env['action_dispatch.request.flash_hash'] = nil
end

## application_controller.rb
class ApplicationController < ActionController::Base
  protect_from_forgery

  # Overload handle_unverified_request to ensure that
  # exception is raised each time a request does not
  # pass validation.
  def handle_unverified_request
    raise(ActionController::InvalidAuthenticityToken)
  end
end
	<!DOCTYPE html>
	<html>
	<head>
	<title>TwitterBootstrapPoc</title>
	<%= stylesheet_link_tag "application", :media => "all" %>
	<%= javascript_include_tag "application" %>
	<%= csrf_meta_tags %>
	</head>
	<body>
	<div class="twitter-flash">
	class UserController < ApplicationController
	def show
	flash[:error] = "User ID: #{params[:id]}did not exist"
	end
	end
	<body>
	<% flash.each do \|name, msg\| -%>
	<%= content_tag :div, msg, class: name %>
	<% end -%>

	<%= yield %>

	</body>
	module BootstrapFlashHelperPatched
	ALERT_TYPES = [:error, :info, :success, :warning] unless const_defined?(:ALERT_TYPES)

	def bootstrap_flash_patched
	flash_messages = []
	flash.each do \|type, message\|
	# Skip empty messages, e.g. for devise messages set to nothing in a locale file.
	next if message.blank?

	type = type.to_sym
	class ApplicationController < ActionController::Base
	ensure_authorization_performed :except => [:index, :search], :if => :auditing_security?, :unless => :devise_controller?

	private
	def auditing_security?
	Rails.env != 'production'
	end

	# Send 'em back where they came from with a slap on the wrist
	def authority_forbidden(error)
	def verify_authenticity_token
	unless verified_request?
	logger.warn "WARNING: Can't verify CSRF token authenticity" if logger
	handle_unverified_request
	end
	end
	def reset_session
	session.destroy if session && session.respond_to?(:destroy)
	self.session = {}
	@env['action_dispatch.request.flash_hash'] = nil
	end
	class ApplicationController < ActionController::Base
	protect_from_forgery

	# Overload handle_unverified_request to ensure that
	# exception is raised each time a request does not
	# pass validation.
	def handle_unverified_request
	raise(ActionController::InvalidAuthenticityToken)
	end
	end