escape path in 404 (not found) page
This escapes the `path` variable using `escape_html` from `Rack::Utils` to prevent Cross-Site Scripting in 404 (Not Found) pages.
This commit is contained in:
parent
6c8fc2ee07
commit
b7886aa14c
|
@ -2,6 +2,7 @@ require 'rack'
|
||||||
require 'rack/file'
|
require 'rack/file'
|
||||||
require 'rack/lint'
|
require 'rack/lint'
|
||||||
require 'rack/head'
|
require 'rack/head'
|
||||||
|
require 'rack/utils'
|
||||||
|
|
||||||
require 'middleman-core/util'
|
require 'middleman-core/util'
|
||||||
require 'middleman-core/logger'
|
require 'middleman-core/logger'
|
||||||
|
@ -124,6 +125,7 @@ module Middleman
|
||||||
|
|
||||||
# Halt request and return 404
|
# Halt request and return 404
|
||||||
def not_found(res, path)
|
def not_found(res, path)
|
||||||
|
path = ::Rack::Utils::escape_html(path)
|
||||||
res.status = 404
|
res.status = 404
|
||||||
res.write "<html><head></head><body><h1>File Not Found</h1><p>#{path}</p></body></html>"
|
res.write "<html><head></head><body><h1>File Not Found</h1><p>#{path}</p></body></html>"
|
||||||
res.finish
|
res.finish
|
||||||
|
|
Loading…
Reference in a new issue