Escape HTML in the 404 page.

There is a reflected XSS in the development mode 404 page for clients that don't URL-encode the request path. (I'm not aware of any major browsers that do this, but you can see the idea with cURL.)
2023-03-27 23:18:01 -04:00 · 2014-06-11 18:41:02 -07:00 · 2014-06-11 18:41:02 -07:00 · 26cb21542b
commit 26cb21542b
parent f42ed4d236
1 changed files with 1 additions and 1 deletions
--- a/lib/sinatra/base.rb
+++ b/lib/sinatra/base.rb
@ -1941,7 +1941,7 @@ module Sinatra
            <img src='#{uri "/__sinatra__/404.png"}'>
            <div id="c">
              Try this:
-              <pre>#{code}</pre>
+              <pre>#{Rack::Utils.escape_html(code)}</pre>
            </div>
          </body>
          </html>