escape HTML on redirects

lib/insecure-server.js

@@ -40,19 +40,21 @@ module.exports.create = function (securePort, insecurePort, redirects) {
       );
     });
 
+    var escapeHtml = require('escapeHtml');
     var newLocation = 'https://'
       + host.replace(/:\d+/, ':' + securePort) + url
       ;
+    var safeLocation = escapeHtml(newLocation);
 
     var metaRedirect = ''
       + '<html>\n'
       + '<head>\n'
       + '  <style>* { background-color: white; color: white; text-decoration: none; }</style>\n'
-      + '  <META http-equiv="refresh" content="0;URL=' + newLocation + '">\n'
+      + '  <META http-equiv="refresh" content="0;URL=' + safeLocation + '">\n'
       + '</head>\n'
       + '<body style="display: none;">\n'
       + '  <p>You requested an insecure resource. Please use this instead: \n'
-      + '    <a href="' + newLocation + '">' + newLocation + '</a></p>\n'
+      + '    <a href="' + safeLocation + '">' + safeLocation + '</a></p>\n'
       + '</body>\n'
       + '</html>\n'
       ;
@@ -72,7 +74,7 @@ module.exports.create = function (securePort, insecurePort, redirects) {
     // To minimize this, we give browser users a mostly optimal experience,
     // but people experimenting with the API get a message letting them know
     // that they're doing it wrong and thus forces them to ensure they encrypt.
-    res.setHeader('Content-Type', 'text/html');
+    res.setHeader('Content-Type', 'text/html; charset=utf-8');
     res.end(metaRedirect);
   }
 

package.json

@@ -62,7 +62,7 @@
     "ee-first": "^1.1.0",
     "errorhandler": "1.x",
     "es6-promise": "2.x",
-    "escape-html": "^1.0.1",
+    "escape-html": "^1.0.2",
     "escape-string-regexp": "1.x",
     "etag": "^1.5.1",
     "express": "4.x",