Escape id parameter for queues view #1687
Conversation
brianvans
force-pushed
the
queues_view_xss
branch
from
544aefd
to
70f14b1
Compare
| @@ -2,7 +2,7 @@ | |||
|
|
|||
| <% if current_queue = params[:id] %> | |||
|
|
|||
| <h1>Pending jobs on <span class='hl'><%= current_queue %></span></h1> | |||
| <h1>Pending jobs on <span class='hl'><%= h current_queue %></span></h1> | |||
There was a problem hiding this comment.
h is only available in rails and resque does not depend on rails. This should do the trick:
| <h1>Pending jobs on <span class='hl'><%= h current_queue %></span></h1> | |
| <h1>Pending jobs on <span class='hl'><%= ERB::Util.html_escape current_queue %></span></h1> |
@brianvans does this look good to you?
There was a problem hiding this comment.
h is aliased as a helper over here:
I noticed it was used in a few other views, so it made sense to use it here as well.
There was a problem hiding this comment.
Ah, nice! Didn't realize that.
|
@brianvans what do you think of the suggested change? If you commit/accept, I can work on getting this merged. |
|
@chrisccerami Here's another one ready for merging! |
|
@brianvans can you rebase on master so we can get the tests to pass? |
brianvans
force-pushed
the
queues_view_xss
branch
from
70f14b1
to
efe7ba1
Compare
Done! |
|
@brianvans @iloveitaly could we get a security advisory published for this? |
|
cc @corincerami just realised you're the one that did the merging |
Fixes #1679