escape path in 404 (not found) page
This escapes the `path` variable using `escape_html` from `Rack::Utils` to prevent Cross-Site Scripting in 404 (Not Found) pages.
This commit is contained in:
parent
6c8fc2ee07
commit
b7886aa14c
1 changed files with 2 additions and 0 deletions
|
@ -2,6 +2,7 @@ require 'rack'
|
|||
require 'rack/file'
|
||||
require 'rack/lint'
|
||||
require 'rack/head'
|
||||
require 'rack/utils'
|
||||
|
||||
require 'middleman-core/util'
|
||||
require 'middleman-core/logger'
|
||||
|
@ -124,6 +125,7 @@ module Middleman
|
|||
|
||||
# Halt request and return 404
|
||||
def not_found(res, path)
|
||||
path = ::Rack::Utils::escape_html(path)
|
||||
res.status = 404
|
||||
res.write "<html><head></head><body><h1>File Not Found</h1><p>#{path}</p></body></html>"
|
||||
res.finish
|
||||
|
|
Loading…
Reference in a new issue