Merge pull request #1805 from melvinsh/fix_404_html_injection

Escape path in 404 (not found) page
This commit is contained in:
Thomas Reynolds 2016-02-16 09:28:07 -08:00
commit a24e5986a2

View file

@ -2,6 +2,7 @@ require 'rack'
require 'rack/file'
require 'rack/lint'
require 'rack/head'
require 'rack/utils'
require 'middleman-core/util'
require 'middleman-core/logger'
@ -124,6 +125,7 @@ module Middleman
# Halt request and return 404
def not_found(res, path)
path = ::Rack::Utils::escape_html(path)
res.status = 404
res.write "<html><head></head><body><h1>File Not Found</h1><p>#{path}</p></body></html>"
res.finish