From b7886aa14cd68a6a3a7b02c7777b5922de4280f1 Mon Sep 17 00:00:00 2001
From: Melvin Lammerts <melvinsh@users.noreply.github.com>
Date: Mon, 15 Feb 2016 23:42:05 +0100
Subject: [PATCH] escape path in 404 (not found) page

This escapes the `path` variable using `escape_html` from `Rack::Utils` to prevent Cross-Site Scripting in 404 (Not Found) pages.
---
 middleman-core/lib/middleman-core/rack.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/middleman-core/lib/middleman-core/rack.rb b/middleman-core/lib/middleman-core/rack.rb
index 390728b4..cf241d9f 100644
--- a/middleman-core/lib/middleman-core/rack.rb
+++ b/middleman-core/lib/middleman-core/rack.rb
@@ -2,6 +2,7 @@ require 'rack'
 require 'rack/file'
 require 'rack/lint'
 require 'rack/head'
+require 'rack/utils'
 
 require 'middleman-core/util'
 require 'middleman-core/logger'
@@ -124,6 +125,7 @@ module Middleman
 
     # Halt request and return 404
     def not_found(res, path)
+      path = ::Rack::Utils::escape_html(path)
       res.status = 404
       res.write "<html><head></head><body><h1>File Not Found</h1><p>#{path}</p></body></html>"
       res.finish