Add escaping to the static 404 page.

sinatra · Sep 28, 2020 · 8d38b12 · 8d38b12
1 parent eebec27
commit 8d38b12
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
@@ -1168,7 +1168,7 @@ def handle_exception!(boom)
 
       if not_found? || bad_request?
         if boom.message && boom.message != boom.class.name
-          body boom.message
+          body Rack::Utils.escape_html(boom.message)
         else
           content_type 'text/html'
           body '<h1>' + (not_found? ? 'Not Found' : 'Bad Request') + '</h1>'