mirror of
https://github.com/sinatra/sinatra
synced 2023-03-27 23:18:01 -04:00
Escape HTML in the 404 page.
There is a reflected XSS in the development mode 404 page for clients that don't URL-encode the request path. (I'm not aware of any major browsers that do this, but you can see the idea with cURL.)
This commit is contained in:
Andy Brody
parent
f42ed4d236
commit
26cb21542b
1 changed files with 1 additions and 1 deletions
|
|
@ -1941,7 +1941,7 @@ module Sinatra
|
||||||
<img src='#{uri "/__sinatra__/404.png"}'>
|
<img src='#{uri "/__sinatra__/404.png"}'>
|
||||||
<div id="c">
|
<div id="c">
|
||||||
Try this:
|
Try this:
|
||||||
<pre>#{code}</pre>
|
<pre>#{Rack::Utils.escape_html(code)}</pre>
|
||||||
</div>
|
</div>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue