From 8e7cc33c49e0b6ffba3433a953c4c8d134b11f02 Mon Sep 17 00:00:00 2001
From: Chris Gavin <chris@chrisgavin.me>
Date: Mon, 5 Oct 2020 14:18:49 +0100
Subject: [PATCH] Add a test to ensure paths on 404 pages are escaped.

---
 test/static_test.rb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/test/static_test.rb b/test/static_test.rb
index b5adbf312c..71ed5eb055 100644
--- a/test/static_test.rb
+++ b/test/static_test.rb
@@ -81,6 +81,12 @@ class StaticTest < Minitest::Test
     assert not_found?
   end
 
+  it 'path is escaped in 404 error pages' do
+    env = Rack::MockRequest.env_for("/dummy").tap { |env| env["PATH_INFO"] = "/<script>" }
+    _, _, body = @app.call(env)
+    assert_equal(["GET &#x2F;&lt;script&gt;"], body, "Unexpected response content.") 
+  end
+
   it 'serves files when .. path traverses within public directory' do
     get "/data/../#{File.basename(__FILE__)}"
     assert ok?