From cfc3f314e4487c676260412b502dfe2324c20cf4 Mon Sep 17 00:00:00 2001
From: Mike Perham <mperham@gmail.com>
Date: Wed, 15 Feb 2017 09:29:17 -0800
Subject: [PATCH] escape page and poll parameters for safety

---
 lib/sidekiq/web/helpers.rb | 3 ++-
 test/test_web.rb           | 6 ++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/sidekiq/web/helpers.rb b/lib/sidekiq/web/helpers.rb
index 6a7ad4ce..6c2dad37 100644
--- a/lib/sidekiq/web/helpers.rb
+++ b/lib/sidekiq/web/helpers.rb
@@ -2,6 +2,7 @@
 require 'uri'
 require 'set'
 require 'yaml'
+require 'cgi'
 
 module Sidekiq
   # This is not a public API
@@ -161,7 +162,7 @@ module Sidekiq
     def qparams(options)
       options = options.stringify_keys
       params.merge(options).map do |key, value|
-        SAFE_QPARAMS.include?(key) ? "#{key}=#{value}" : next
+        SAFE_QPARAMS.include?(key) ? "#{key}=#{CGI.escape(value.to_s)}" : next
       end.compact.join("&")
     end
 
diff --git a/test/test_web.rb b/test/test_web.rb
index 59e59d71..b47c6c1e 100644
--- a/test/test_web.rb
+++ b/test/test_web.rb
@@ -557,6 +557,12 @@ class TestWeb < Sidekiq::Test
         assert_equal 200, last_response.status
         assert_match(/#{params.first['args'][2]}/, last_response.body)
       end
+
+      it 'handles bad query input' do
+        get '/queues/foo?page=B<H'
+        assert_equal 200, last_response.status
+        assert_match(/B%3CH/, last_response.body)
+      end
     end
 
     def add_scheduled(job_id=SecureRandom.hex(12))