Following this applied a secure solution as I need to output the text file inside my other HTML.
require 'rack/utils'
get '/logfile' do
File.open('./public/log.txt','r') do |file|
@logtext = Rack::Utils.escape_html(file.read) # this will assure security
end
erb :logfile
end
views/logfile.erb
<h1>Log file</h1>
<pre><%= @logtext %></pre>
Suppose our logs are less secure than our site code, and some bad person did a bad thing:
[INFO] User Admin successfully logged in.
[ERROR] User Frog failed to log in.
</pre><script>alert('Do harmful thing!')</script>
[INFO] User Admin successfully logged in.
The output will be exactly the above text (without the pop-up message).