Escape the message of an exception in debug_exceptions to avoid bad r…

…endering

actionpack/lib/action_dispatch/middleware/templates/rescues/diagnostics.erb

@@ -8,7 +8,7 @@
 </header>
 
 <div id="container">
-  <h2><%= @exception.message %></h2>
+  <h2><%= h @exception.message %></h2>
 
   <%= render template: "rescues/_source" %>
   <%= render template: "rescues/_trace" %>

actionpack/lib/action_dispatch/middleware/templates/rescues/missing_template.erb

@@ -3,5 +3,5 @@
 </header>
 
 <div id="container">
-  <h2><%= @exception.message %></h2>
+  <h2><%= h @exception.message %></h2>
 </div>

actionpack/lib/action_dispatch/middleware/templates/rescues/routing_error.erb

@@ -2,7 +2,7 @@
   <h1>Routing Error</h1>
 </header>
 <div id="container">
-  <h2><%= @exception.message %></h2>
+  <h2><%= h @exception.message %></h2>
   <% unless @exception.failures.empty? %>
     <p>
       <h2>Failure reasons:</h2>

actionpack/lib/action_dispatch/middleware/templates/rescues/template_error.erb

@@ -10,7 +10,7 @@
   <p>
     Showing <i><%= @exception.file_name %></i> where line <b>#<%= @exception.line_number %></b> raised:
   </p>
-  <pre><code><%= @exception.message %></code></pre>
+  <pre><code><%= h @exception.message %></code></pre>
 
   <div class="source">
     <div class="info">

actionpack/lib/action_dispatch/middleware/templates/rescues/unknown_action.erb

@@ -2,5 +2,5 @@
   <h1>Unknown action</h1>
 </header>
 <div id="container">
-  <h2><%= @exception.message %></h2>
+  <h2><%= h @exception.message %></h2>
 </div>