From 327c6ece36471763574d5c7ccc04e64c3410a742 Mon Sep 17 00:00:00 2001
From: Ryan Tomayko <rtomayko@gmail.com>
Date: Sat, 8 Mar 2008 07:21:43 -0500
Subject: [PATCH] Fix that built-in error message response not HTML escaped.

Stack traces and Object#inspect output lots of less-than signs
that need escaping.

There's probably a better way to do this. My first iteration called
CGI::escapeHTML and then I noticed that Rack includes a nice Utils module with
various escaping methods so I figured that would be a better fit for Sinatra.
Unfortunately, these methods don't seem to be exposed anywhere (that I could
find) so I extended the Rack::Utils module with itself so that messages could be
sent directly to the module.
---
 lib/sinatra.rb | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/sinatra.rb b/lib/sinatra.rb
index e0867436..730cb2ac 100644
--- a/lib/sinatra.rb
+++ b/lib/sinatra.rb
@@ -44,6 +44,10 @@ module Rack #:nodoc:
     
   end
   
+  module Utils
+    extend self
+  end
+
 end
 
 module Sinatra
@@ -623,8 +627,8 @@ module Sinatra
           		<div id="content">
             		<img src="/sinatra_custom_images/500.png" />
           			<div id="stacktrace">
-          				<h1>#{@error.message}</h1>
-          				<pre><code>#{@error.backtrace.join("\n")}</code></pre>
+          				<h1>#{Rack::Utils.escape_html(@error.message)}</h1>
+          				<pre><code>#{Rack::Utils.escape_html(@error.backtrace.join("\n"))}</code></pre>
           		</div>
           	</body>
           </html>