From a340e1870415706e3413e9b5256add9b3834eea7 Mon Sep 17 00:00:00 2001
From: Brett Zamir <brettz9@yahoo.com>
Date: Thu, 31 Oct 2019 16:54:28 +0800
Subject: [PATCH] Avoid XSS

---
 lib/server/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/server/index.js b/lib/server/index.js
index dfb59269f..bdefacd3b 100644
--- a/lib/server/index.js
+++ b/lib/server/index.js
@@ -157,7 +157,7 @@ class Server extends EventEmitter {
       if (err) {
         log.error(err.message);
         if (err.code === 'ENOENT') {
-          res.status(404).send(`Not found: ${req.url}`);
+          res.status(404).send(`Not found: ${req.url.replace(/&/g,'&amp;').replace(/</g,'&lt;')}`);
         } else {
           res.status(500).send(err.message);
         }