fix: escape msg in render restricted error html (#12889)

Author: patak-dev

packages/vite/package.json

@@ -86,6 +86,7 @@
     "@rollup/plugin-typescript": "^11.0.0",
     "@rollup/pluginutils": "^5.0.2",
     "@types/pnpapi": "^0.0.2",
+    "@types/escape-html": "^1.0.0",
     "acorn": "^8.8.2",
     "acorn-walk": "^8.2.0",
     "cac": "^6.7.14",
@@ -100,6 +101,7 @@
     "dotenv": "^16.0.3",
     "dotenv-expand": "^9.0.0",
     "es-module-lexer": "^1.2.0",
+    "escape-html": "^1.0.3",
     "estree-walker": "^3.0.3",
     "etag": "^1.8.1",
     "fast-glob": "^3.2.12",

packages/vite/src/node/server/middlewares/static.ts

@@ -3,6 +3,7 @@ import type { OutgoingHttpHeaders, ServerResponse } from 'node:http'
 import type { Options } from 'sirv'
 import sirv from 'sirv'
 import type { Connect } from 'dep-types/connect'
+import escapeHtml from 'escape-html'
 import type { ViteDevServer } from '../..'
 import { FS_PREFIX } from '../../constants'
 import {
@@ -236,7 +237,7 @@ function renderRestrictedErrorHTML(msg: string): string {
   return html`
     <body>
       <h1>403 Restricted</h1>
-      <p>${msg.replace(/\n/g, '<br/>')}</p>
+      <p>${escapeHtml(msg).replace(/\n/g, '<br/>')}</p>
       <style>
         body {
           padding: 1em 2em;