Merge pull request #1645 from chrisgavin/escape-static-404-pages

Add escaping to the static 404 page.
sinatra · Oct 6, 2020 · 0aa8d50 · 0aa8d50
2 parents 788b806 + 8e7cc33
commit 0aa8d50
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
@@ -1166,7 +1166,7 @@ def handle_exception!(boom)
 
       if not_found? || bad_request?
         if boom.message && boom.message != boom.class.name
-          body boom.message
+          body Rack::Utils.escape_html(boom.message)
         else
           content_type 'text/html'
           body '<h1>' + (not_found? ? 'Not Found' : 'Bad Request') + '</h1>'

diff --git a/test/static_test.rb b/test/static_test.rb
@@ -81,6 +81,12 @@ class StaticTest < Minitest::Test
     assert not_found?
   end
 
+  it 'path is escaped in 404 error pages' do
+    env = Rack::MockRequest.env_for("/dummy").tap { |env| env["PATH_INFO"] = "/<script>" }
+    _, _, body = @app.call(env)
+    assert_equal(["GET &#x2F;&lt;script&gt;"], body, "Unexpected response content.") 
+  end
+
   it 'serves files when .. path traverses within public directory' do
     get "/data/../#{File.basename(__FILE__)}"
     assert ok?