¬ XSS within Route Error Page

[freakyclown]

After highlighting this issue to the Rails team via Hacker1, I was informed that this bug should be highlighted here upstream.
Whilst the issue is nothing critical, it is after all more of a self XSS, the ability to inject XSS attacks within the Rails framework is concerning. At a later date a vulnerability may be discovered that could leverage this issue or the code within this page could be reused elsewhere creating another attack vector that could be triggered by an attacker.
I am not an expert in Ruby or Rails and when I found this issue on a penetration test for a client, we discovered it was not an issue with the web application but one within Rails itself. The screenshot attached is therefore redacted of client identification.

Steps to reproduce

Request a page that does not have a matching routing to produce the Routing Error page.

Expected behavior

Expected behaviour is a error page with resources to help navigate the issue.

Actual behavior

Within the search box for Path, it is possible to create a XSS injection.

System configuration

Rails version:
No information on version from client
Ruby version:
No information on version from client.

[khall]

Can you be a bit more specific about how to reproduce the XSS injection?

[freakyclown]

Sure, in the search bar input form. enter the following piece of code.
<svg><animate onend=alert(document.domain) attributeName=x dur=1s>
this will then bring up an alert box as per the image, giving proof of concept of the XSS vulnerability.

[ohsamarth]

is there a fix for this issue for rails 5 yet?