Skip to content

Commit ee99d2e

Browse files
Escape HTML from the params to avoid XSS (#1790)
* Escape HTML from the params to avoid XSS * Only escape the param when it's printed to the DOM
1 parent 8eb72a8 commit ee99d2e

File tree

4 files changed

+6
-6
lines changed

4 files changed

+6
-6
lines changed

Diff for: lib/resque/server/views/error.erb

+1-1
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
<h1 style="font-size:110%;font-family:Arial, sans-serif;"><%= error %></h1>
1+
<h1 style="font-size:110%;font-family:Arial, sans-serif;"><%= escape_html(error) %></h1>

Diff for: lib/resque/server/views/failed.erb

+3-3
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
11
<% if failed_multiple_queues? && !params[:queue] %>
22
<h1>All Failed Queues: <%= Resque::Failure.queues.size %> total</h1>
33
<% else %>
4-
<h1>Failed Jobs <%= "on '#{params[:queue]}'" if params[:queue] %> <%= "with class '#{params[:class]}'" if params[:class] %></h1>
4+
<h1>Failed Jobs <%= "on '#{escape_html(params[:queue])}'" if params[:queue] %> <%= "with class '#{escape_html(params[:class])}'" if params[:class] %></h1>
55
<% end %>
66

77
<% unless failed_size.zero? %>
88
<form method="POST" action="<%= u "failed#{'/' + params[:queue] if params[:queue]}/clear" %>">
9-
<input type="submit" name="" value="Clear <%= params[:queue] ? "'#{params[:queue]}'" : 'Failed' %> Jobs" class="confirmSubmission" />
9+
<input type="submit" name="" value="Clear <%= params[:queue] ? "'#{escape_html(params[:queue])}'" : 'Failed' %> Jobs" class="confirmSubmission" />
1010
</form>
1111

1212
<% unless params[:queue] %>
@@ -15,7 +15,7 @@
1515
</form>
1616
<% end %>
1717
<form method="POST" action="<%= u "failed#{'/' + params[:queue] if params[:queue]}/requeue/all" %>">
18-
<input type="submit" name="" value="Retry <%= params[:queue] ? "'#{params[:queue]}'" : 'Failed' %> Jobs" class="confirmSubmission" />
18+
<input type="submit" name="" value="Retry <%= params[:queue] ? "'#{escape_html(params[:queue])}'" : 'Failed' %> Jobs" class="confirmSubmission" />
1919
</form>
2020
<% end %>
2121

Diff for: lib/resque/server/views/key_string.erb

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<% if key = params[:key] %>
2-
<h1>Key "<%= key %>" is a <%= resque.redis.type key %></h1>
2+
<h1>Key "<%= escape_html(key) %>" is a <%= resque.redis.type key %></h1>
33
<h2>size: <%= redis_get_size(key) %></h2>
44
<table>
55
<tr>

Diff for: lib/resque/server/views/queues.erb

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
<% if current_queue = params[:id] %>
44

5-
<h1>Pending jobs on <span class='hl'><%= h current_queue %></span></h1>
5+
<h1>Pending jobs on <span class='hl'><%= h escape_html(current_queue) %></span></h1>
66
<form method="POST" action="<%=u "/queues/#{current_queue}/remove" %>" class='remove-queue'>
77
<input type='submit' name='' value='Remove Queue' class="confirmSubmission" />
88
</form>

0 commit comments

Comments
 (0)