deac/middleman
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #1805 from melvinsh/fix_404_html_injection

Browse source 
Escape path in 404 (not found) page
This commit is contained in:
Thomas Reynolds 2016-02-16 09:28:07 -08:00
parent 6c8fc2ee07 b7886aa14c
commit a24e5986a2
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
middleman-core/lib/middleman-core/rack.rb
View file

@ -2,6 +2,7 @@ require 'rack'
require 'rack/file' require 'rack/file'
require 'rack/lint' require 'rack/lint'
require 'rack/head' require 'rack/head'
require 'rack/utils'
require 'middleman-core/util' require 'middleman-core/util'
require 'middleman-core/logger' require 'middleman-core/logger'
@ -124,6 +125,7 @@ module Middleman
# Halt request and return 404 # Halt request and return 404
def not_found(res, path) def not_found(res, path)
path = ::Rack::Utils::escape_html(path)
res.status = 404 res.status = 404
res.write "<html><head></head><body><h1>File Not Found</h1><p>#{path}</p></body></html>" res.write "<html><head></head><body><h1>File Not Found</h1><p>#{path}</p></body></html>"
res.finish res.finish