Queue name xss, fixes #2330

2022-11-09 13:52:34 -05:00 · 2015-05-04 08:38:51 -07:00 · 2015-05-04 08:38:51 -07:00 · 2178d66b66
commit 2178d66b66
parent a695ff347a
2 changed files with 2 additions and 2 deletions
--- a/web/views/queue.erb
+++ b/web/views/queue.erb
@ -1,7 +1,7 @@
 <header class="row">
  <div class="col-sm-5">
    <h3>
-      <%= t('CurrentMessagesInQueue', :queue => @name) %>
+      <%= t('CurrentMessagesInQueue', :queue => h(@name)) %>
      <% if @queue.paused? %>
        <span class="label label-danger"><%= t('Paused') %></span>
      <% end %>
--- a/web/views/queues.erb
+++ b/web/views/queues.erb
@ -17,7 +17,7 @@
      <td><%= number_with_delimiter(queue.size) %> </td>
      <td width="20%">
        <form action="<%=root_path %>queues/<%= queue.name %>" method="post">
-          <input class="btn btn-danger btn-xs" type="submit" name="delete" value="<%= t('Delete') %>" data-confirm="<%= t('AreYouSureDeleteQueue', :queue => queue.name) %>" />
+          <input class="btn btn-danger btn-xs" type="submit" name="delete" value="<%= t('Delete') %>" data-confirm="<%= t('AreYouSureDeleteQueue', :queue => h(queue.name)) %>" />
        </form>
      </td>
    </tr>