escape path in 404 (not found) page

This escapes the `path` variable using `escape_html` from `Rack::Utils` to prevent Cross-Site Scripting in 404 (Not Found) pages.
This commit is contained in:
Melvin Lammerts 2016-02-15 23:42:05 +01:00
parent 6c8fc2ee07
commit b7886aa14c

View file

@ -2,6 +2,7 @@ require 'rack'
require 'rack/file' require 'rack/file'
require 'rack/lint' require 'rack/lint'
require 'rack/head' require 'rack/head'
require 'rack/utils'
require 'middleman-core/util' require 'middleman-core/util'
require 'middleman-core/logger' require 'middleman-core/logger'
@ -124,6 +125,7 @@ module Middleman
# Halt request and return 404 # Halt request and return 404
def not_found(res, path) def not_found(res, path)
path = ::Rack::Utils::escape_html(path)
res.status = 404 res.status = 404
res.write "<html><head></head><body><h1>File Not Found</h1><p>#{path}</p></body></html>" res.write "<html><head></head><body><h1>File Not Found</h1><p>#{path}</p></body></html>"
res.finish res.finish