escape widget error message; prevent xss

lib/dashing/app.rb

@@ -25,6 +25,10 @@ def protected!
     # override with auth logic
   end
 
+  def h(text)
+    Rack::Utils.escape_html(text)
+  end
+
   def authenticated?(token)
     return true unless settings.auth_token
     token && Rack::Utils.secure_compare(settings.auth_token, token)
@@ -129,7 +133,7 @@ def authenticated?(token)
     return Tilt[language].new(file).render if File.exist?(file)
   end
 
-  "Drats! Unable to find a widget file named: #{params[:widget]} to render."
+  "Drats! Unable to find a widget file named: #{h(params[:widget])} to render."
 end
 
 Thin::Server.class_eval do

test/app_test.rb

@@ -200,6 +200,14 @@ def test_get_nonexistent_widget
     end
   end
 
+  def test_get_xss_widget
+    with_generated_project do
+      get '/views/nowidget-<h1>.html'
+      assert_equal 200, last_response.status
+      assert_equal last_response.body, 'Drats! Unable to find a widget file named: nowidget-&lt;h1&gt; to render.'
+    end
+  end
+
   def with_generated_project
     source_path = File.expand_path('../../templates', __FILE__)