escape invalid query params, fixes #1428

sinatra · May 30, 2018 · 12786867d6faaceaec62c7c2cb5b0e2dc074d71a · 1278686
1 parent 5149dc9
commit 12786867d6faaceaec62c7c2cb5b0e2dc074d71a
Unified Split

Showing with 1 addition and 1 deletion.

+1 −1 lib/sinatra/base.rb
diff --git a/lib/sinatra/base.rb b/lib/sinatra/base.rb
@@ -78,7 +78,7 @@ def unlink?
     def params
       super
     rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
-      raise BadRequest, "Invalid query parameters: #{e.message}"
+      raise BadRequest, "Invalid query parameters: #{Rack::Utils.escape_html(e.message)}"
     end
 
     private