diff --git a/app/controllers/api/salmon_controller.rb b/app/controllers/api/salmon_controller.rb
index 1df98970059a5e0c3628c233342fdafd8f90e374..b15aefee9e16d5322671de95a1aedf1c7dda7d1b 100644
--- a/app/controllers/api/salmon_controller.rb
+++ b/app/controllers/api/salmon_controller.rb
@@ -1,5 +1,6 @@
 class Api::SalmonController < ApiController
   before_action :set_account
+  respond_to :txt
 
   def update
     ProcessInteractionService.new.(request.body.read, @account)
diff --git a/app/controllers/api/subscriptions_controller.rb b/app/controllers/api/subscriptions_controller.rb
index 6ae038a36ff5b44e4a0a52278590147c63ed7454..91b987ce43f685f51a517490423621274e4823b2 100644
--- a/app/controllers/api/subscriptions_controller.rb
+++ b/app/controllers/api/subscriptions_controller.rb
@@ -1,9 +1,10 @@
 class Api::SubscriptionsController < ApiController
   before_action :set_account
+  respond_to :txt
 
   def show
     if @account.subscription(api_subscription_url(@account.id)).valid?(params['hub.topic'], params['hub.verify_token'])
-      render text: params['hub.challenge'], status: 200
+      render text: HTMLEntities.new.encode(params['hub.challenge']), status: 200
     else
       render nothing: true, status: 404
     end