Escape filename to avoid XSS from malicious input

[pbyrne]

Because:

• If user input is provided for the file name (as in rendering an SVG based on a URL parameter), the blanket marking of the SVG output as HTML-safe exposes an app to an XSS attack in the comment listing the file that was not found.
• This happened in our app, which we resolved by adding a whitelist to check if the SVG file existed before calling inline_svg, but it feels safer to have the gem handle this better from the get-go.

Solution:

• HTML-escape the filename rendering the comment that it was not found.
• I considered some alternate solutions like using content_tag to render the SVG rather than a raw string, but this felt like a smaller change.

[pbyrne]

Thanks for the 👍, @jamesmartin! Wondering when this could be merged and a new release pushed.

[jamesmartin]

Sorry it the delay, @pbyrne. I've merged your PR and will make a new release later this week.

[jamesmartin]

Actually, it looks like your change isn't backwards compatible with Rails 3:

ActionView::Template::Error: undefined method `html_escape_once' for ERB::Util:Module
89
  Did you mean?  html_escape

We'll probably need a conditional to check for that. The good news is that we'll be dropping Rails 3 support in Version 2 of this gem, but for now we've got to support it.