Merge pull request #1805 from melvinsh/fix_404_html_injection

Escape path in 404 (not found) page

middleman-core/lib/middleman-core/rack.rb

@@ -2,6 +2,7 @@ require 'rack'
 require 'rack/file'
 require 'rack/lint'
 require 'rack/head'
+require 'rack/utils'
 
 require 'middleman-core/util'
 require 'middleman-core/logger'
@@ -124,6 +125,7 @@ module Middleman
 
     # Halt request and return 404
     def not_found(res, path)
+      path = ::Rack::Utils::escape_html(path)
       res.status = 404
       res.write "<html><head></head><body><h1>File Not Found</h1><p>#{path}</p></body></html>"
       res.finish