diff --git a/Changes.md b/Changes.md
index ccfa7930a..1311c4ad3 100644
--- a/Changes.md
+++ b/Changes.md
@@ -2,10 +2,13 @@
 
 [Sidekiq Changes](https://github.com/sidekiq/sidekiq/blob/main/Changes.md) | [Sidekiq Pro Changes](https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md) | [Sidekiq Enterprise Changes](https://github.com/sidekiq/sidekiq/blob/main/Ent-Changes.md)
 
-HEAD
+7.0.8
 ----------
 
-- Add job hash as another parameter to any `sidekiq_retry_in` block.
+- **SECURITY** Sanitize `period` input parameter on Metrics pages.
+  Specially crafted values can lead to XSS. This functionality
+  was introduced in 7.0.4. Thank you to spercex @ huntr.dev [#5694]
+- Add job hash as 3rd parameter to the `sidekiq_retry_in` block.
 
 7.0.7
 ----------
diff --git a/lib/sidekiq/version.rb b/lib/sidekiq/version.rb
index bc3a80937..45b62a4ec 100644
--- a/lib/sidekiq/version.rb
+++ b/lib/sidekiq/version.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
 module Sidekiq
-  VERSION = "7.0.7"
+  VERSION = "7.0.8"
   MAJOR = 7
 end
diff --git a/lib/sidekiq/web/application.rb b/lib/sidekiq/web/application.rb
index 33cfb87c2..ca655bb25 100644
--- a/lib/sidekiq/web/application.rb
+++ b/lib/sidekiq/web/application.rb
@@ -68,7 +68,7 @@ def self.set(key, val)
 
     get "/metrics" do
       q = Sidekiq::Metrics::Query.new
-      @period = params[:period]
+      @period = h((params[:period] || "")[0..1])
       @periods = METRICS_PERIODS
       minutes = @periods.fetch(@period, @periods.values.first)
       @query_result = q.top_jobs(minutes: minutes)
@@ -77,7 +77,7 @@ def self.set(key, val)
 
     get "/metrics/:name" do
       @name = route_params[:name]
-      @period = params[:period]
+      @period = h((params[:period] || "")[0..1])
       q = Sidekiq::Metrics::Query.new
       @periods = METRICS_PERIODS
       minutes = @periods.fetch(@period, @periods.values.first)