escape path in 404 (not found) page

This escapes the `path` variable using `escape_html` from `Rack::Utils` to prevent Cross-Site Scripting in 404 (Not Found) pages.

middleman-core/lib/middleman-core/rack.rb

@@ -2,6 +2,7 @@ require 'rack'
 require 'rack/file'
 require 'rack/lint'
 require 'rack/head'
+require 'rack/utils'
 
 require 'middleman-core/util'
 require 'middleman-core/logger'
@@ -124,6 +125,7 @@ module Middleman
 
     # Halt request and return 404
     def not_found(res, path)
+      path = ::Rack::Utils::escape_html(path)
       res.status = 404
       res.write "<html><head></head><body><h1>File Not Found</h1><p>#{path}</p></body></html>"
       res.finish