[2.1.x] Fixed #30070, CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page.

      Co-Authored-By: Tim Graham <timograham@gmail.com>
Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master.