From 878ffff0c9ea772b6ad46d30586a71f61aea8c15 Mon Sep 17 00:00:00 2001
From: Mike Perham <mperham@gmail.com>
Date: Tue, 24 Jan 2017 10:27:50 -0800
Subject: [PATCH] Fix a number of issues with URL-unsafe queue names, fixes
 #3327

---
 lib/sidekiq/web/application.rb | 2 +-
 web/views/queue.erb            | 4 ++--
 web/views/queues.erb           | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/sidekiq/web/application.rb b/lib/sidekiq/web/application.rb
index abb6c433..56c13979 100644
--- a/lib/sidekiq/web/application.rb
+++ b/lib/sidekiq/web/application.rb
@@ -85,7 +85,7 @@ module Sidekiq
       name = route_params[:name]
       Sidekiq::Job.new(params['key_val'], name).delete
 
-      redirect_with_query("#{root_path}queues/#{name}")
+      redirect_with_query("#{root_path}queues/#{CGI.escape(name)}")
     end
 
     get '/morgue' do
diff --git a/web/views/queue.erb b/web/views/queue.erb
index 8f82b0a6..175b6729 100644
--- a/web/views/queue.erb
+++ b/web/views/queue.erb
@@ -8,7 +8,7 @@
     </h3>
   </div>
   <div class="col-sm-4 pull-right">
-    <%= erb :_paging, locals: { url: "#{root_path}queues/#{@name}" } %>
+    <%= erb :_paging, locals: { url: "#{root_path}queues/#{CGI.escape(@name)}" } %>
   </div>
 </header>
 <div class="table_container">
@@ -32,7 +32,7 @@
           <% end %>
         </td>
         <td>
-          <form action="<%= root_path %>queues/<%= @name %>/delete" method="post">
+          <form action="<%= root_path %>queues/<%= CGI.escape(@name) %>/delete" method="post">
             <%= csrf_tag %>
             <input name="key_val" value="<%= h Sidekiq.dump_json(msg.item) %>" type="hidden" />
             <input class="btn btn-danger btn-xs" type="submit" name="delete" value="<%= t('Delete') %>" data-confirm="<%= t('AreYouSure') %>" />
diff --git a/web/views/queues.erb b/web/views/queues.erb
index 2399fba2..e1649739 100644
--- a/web/views/queues.erb
+++ b/web/views/queues.erb
@@ -10,14 +10,14 @@
     <% @queues.each do |queue| %>
       <tr>
         <td>
-          <a href="<%= root_path %>queues/<%= queue.name %>"><%= queue.name %></a>
+          <a href="<%= root_path %>queues/<%= CGI.escape(queue.name) %>"><%= h queue.name %></a>
           <% if queue.paused? %>
             <span class="label label-danger"><%= t('Paused') %></span>
           <% end %>
         </td>
         <td><%= number_with_delimiter(queue.size) %> </td>
         <td class="delete-confirm">
-          <form action="<%=root_path %>queues/<%= queue.name %>" method="post">
+          <form action="<%=root_path %>queues/<%= CGI.escape(queue.name) %>" method="post">
             <%= csrf_tag %>
             <input class="btn btn-danger btn-xs" type="submit" name="delete" value="<%= t('Delete') %>" data-confirm="<%= t('AreYouSureDeleteQueue', :queue => h(queue.name)) %>" />
           </form>