Don't echo back the provided path on a 404 error

This gets flagged up by security scans a potential cross-site scripting vector - I suspect that this would be quite difficult to exploit for real, but I'm making this fix because it removes spurious XSS warnings on scans but doesn't affect useful function.
fluent · Jun 14, 2021 · a6d9cbc · a6d9cbc
1 parent 5bc4c6b
commit a6d9cbc
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/fluent/plugin_helper/http_server/router.rb b/lib/fluent/plugin_helper/http_server/router.rb
@@ -22,7 +22,7 @@ module HttpServer
       class Router
         class NotFoundApp
           def self.call(req)
-            [404, { 'Content-Type' => 'text/plain' }, "404 Not Found: #{req.path}\n"]
+            [404, { 'Content-Type' => 'text/plain' }, "404 Not Found\n"]
           end
         end