Fully URL-encode the pathname in the 404 message

HISTORY.md

@@ -1,6 +1,7 @@
 unreleased
 ==========
 
+  * Fully URL-encode the pathname in the 404 message
   * Only include the pathname in the 404 message
   * deps: debug@2.6.0
     - Allow colors in workers

index.js

@@ -12,6 +12,7 @@
  */
 
 var debug = require('debug')('finalhandler')
+var encodeUrl = require('encodeurl')
 var escapeHtml = require('escape-html')
 var onFinished = require('on-finished')
 var parseUrl = require('parseurl')
@@ -92,7 +93,8 @@ function finalhandler (req, res, options) {
         .replace(DOUBLE_SPACE_REGEXP, '  ') + '\n'
     } else {
       status = 404
-      msg = 'Cannot ' + escapeHtml(req.method) + ' ' + escapeHtml(parseUrl.original(req).pathname) + '\n'
+      msg = 'Cannot ' + escapeHtml(req.method) +
+        ' ' + escapeHtml(encodeUrl(parseUrl.original(req).pathname)) + '\n'
     }
 
     debug('default %s', status)

package.json

@@ -7,6 +7,7 @@
   "repository": "pillarjs/finalhandler",
   "dependencies": {
     "debug": "2.6.0",
+    "encodeurl": "~1.0.1",
     "escape-html": "~1.0.3",
     "on-finished": "~2.3.0",
     "parseurl": "~1.3.1",

test/test.js

@@ -197,7 +197,13 @@ describe('finalhandler(req, res)', function () {
     it('should escape method and pathname characters', function (done) {
       rawrequest(createServer())
       .get('/<la\'me>')
-      .expect(404, 'Cannot GET /&lt;la&#39;me&gt;\n', done)
+      .expect(404, 'Cannot GET /%3Cla&#39;me%3E\n', done)
+    })
+
+    it('should encode bad pathname characters', function (done) {
+      rawrequest(createServer())
+      .get('/foo%20§')
+      .expect(404, 'Cannot GET /foo%20%C2%A7\n', done)
     })
 
     it('should include original pathname', function (done) {