From 2178d66b6686fbf4430223c34c184a64c9906828 Mon Sep 17 00:00:00 2001
From: Mike Perham <mperham@gmail.com>
Date: Mon, 4 May 2015 08:38:51 -0700
Subject: [PATCH] Queue name xss, fixes #2330

---
 web/views/queue.erb  | 2 +-
 web/views/queues.erb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/web/views/queue.erb b/web/views/queue.erb
index 98952eda..cfec15ea 100644
--- a/web/views/queue.erb
+++ b/web/views/queue.erb
@@ -1,7 +1,7 @@
 <header class="row">
   <div class="col-sm-5">
     <h3>
-      <%= t('CurrentMessagesInQueue', :queue => @name) %>
+      <%= t('CurrentMessagesInQueue', :queue => h(@name)) %>
       <% if @queue.paused? %>
         <span class="label label-danger"><%= t('Paused') %></span>
       <% end %>
diff --git a/web/views/queues.erb b/web/views/queues.erb
index b417a681..986d511e 100644
--- a/web/views/queues.erb
+++ b/web/views/queues.erb
@@ -17,7 +17,7 @@
       <td><%= number_with_delimiter(queue.size) %> </td>
       <td width="20%">
         <form action="<%=root_path %>queues/<%= queue.name %>" method="post">
-          <input class="btn btn-danger btn-xs" type="submit" name="delete" value="<%= t('Delete') %>" data-confirm="<%= t('AreYouSureDeleteQueue', :queue => queue.name) %>" />
+          <input class="btn btn-danger btn-xs" type="submit" name="delete" value="<%= t('Delete') %>" data-confirm="<%= t('AreYouSureDeleteQueue', :queue => h(queue.name)) %>" />
         </form>
       </td>
     </tr>