Merge pull request #883 from ab/404-xss

Potential for reflected XSS in development mode 404 page
2023-03-27 23:18:01 -04:00 · 2014-09-21 11:15:47 +02:00 · 2014-09-21 11:15:47 +02:00 · 4e92d604be
commit 4e92d604be
parent f7cda5d47e 26cb21542b
1 changed files with 1 additions and 1 deletions
--- a/lib/sinatra/base.rb
+++ b/lib/sinatra/base.rb
@ -1948,7 +1948,7 @@ module Sinatra
            <img src='#{uri "/__sinatra__/404.png"}'>
            <div id="c">
              Try this:
-              <pre>#{code}</pre>
+              <pre>#{Rack::Utils.escape_html(code)}</pre>
            </div>
          </body>
          </html>