From 8d38b124aa33b8719f8bbca4800d0f92ef1207a2 Mon Sep 17 00:00:00 2001
From: Chris Gavin <chris@chrisgavin.me>
Date: Mon, 28 Sep 2020 15:17:21 +0100
Subject: [PATCH 1/2] Add escaping to the static 404 page.

---
 lib/sinatra/base.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
index 11cd284a9d..e4047f0070 100644
--- a/lib/sinatra/base.rb
+++ b/lib/sinatra/base.rb
@@ -1168,7 +1168,7 @@ def handle_exception!(boom)
 
       if not_found? || bad_request?
         if boom.message && boom.message != boom.class.name
-          body boom.message
+          body Rack::Utils.escape_html(boom.message)
         else
           content_type 'text/html'
           body '<h1>' + (not_found? ? 'Not Found' : 'Bad Request') + '</h1>'

From 8e7cc33c49e0b6ffba3433a953c4c8d134b11f02 Mon Sep 17 00:00:00 2001
From: Chris Gavin <chris@chrisgavin.me>
Date: Mon, 5 Oct 2020 14:18:49 +0100
Subject: [PATCH 2/2] Add a test to ensure paths on 404 pages are escaped.

---
 test/static_test.rb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/test/static_test.rb b/test/static_test.rb
index b5adbf312c..71ed5eb055 100644
--- a/test/static_test.rb
+++ b/test/static_test.rb
@@ -81,6 +81,12 @@ class StaticTest < Minitest::Test
     assert not_found?
   end
 
+  it 'path is escaped in 404 error pages' do
+    env = Rack::MockRequest.env_for("/dummy").tap { |env| env["PATH_INFO"] = "/<script>" }
+    _, _, body = @app.call(env)
+    assert_equal(["GET &#x2F;&lt;script&gt;"], body, "Unexpected response content.") 
+  end
+
   it 'serves files when .. path traverses within public directory' do
     get "/data/../#{File.basename(__FILE__)}"
     assert ok?