Fix for CVE-2024-32887

sidekiq · Apr 26, 2024 · 30786e0 · 30786e0
1 parent 371884e
commit 30786e0
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/Changes.md b/Changes.md
@@ -2,6 +2,12 @@
 
 [Sidekiq Changes](https://github.com/sidekiq/sidekiq/blob/main/Changes.md) | [Sidekiq Pro Changes](https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md) | [Sidekiq Enterprise Changes](https://github.com/sidekiq/sidekiq/blob/main/Ent-Changes.md)
 
+7.2.4
+----------
+
+- Fix XSS in metrics filtering introduced in 7.2.0, CVE-2024-32887
+  Thanks to @UmerAdeemCheema for the security report.
+
 7.2.3
 ----------
 

diff --git a/lib/sidekiq/version.rb b/lib/sidekiq/version.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
 module Sidekiq
-  VERSION = "7.2.3"
+  VERSION = "7.2.4"
   MAJOR = 7
 end
diff --git a/web/views/metrics.erb b/web/views/metrics.erb
@@ -12,7 +12,7 @@
     <form id="metrics-form" class="form-inline" action="<%= root_path %>filter/metrics" method="post">
       <%= csrf_tag %>
       <label for="substr"><%= t('Filter') %></label>
-      <input id="class-filter" class="form-control" type="text" name="substr" placeholder="<%= t('Name') %>" value="<%= params[:substr] %>">
+      <input id="class-filter" class="form-control" type="text" name="substr" placeholder="<%= t('Name') %>" value="<%= h params[:substr] %>">
       <select id="period-selector" class="form-control" name="period">
         <% @periods.each_key do |code| %>
           <% if code == @period %>