refactor: Format and sanitise user inputs to search queries. (#22913)

* refactor: Sanitize whitelisted method inputs Co-authored-by: Prssanna Desai <prssud@gmail.com> Co-authored-by: Shivam Mishra <scmmishra@users.noreply.github.com> * refactor: Format and sanitize tax_account_query inputs Co-authored-by: Nabin Hait <nabinhait@gmail.com> Co-authored-by: Prssanna Desai <prssud@gmail.com> Co-authored-by: Shivam Mishra <scmmishra@users.noreply.github.com> * refactor: Validate and sanitize search inputs via decorator Co-authored-by: Nabin Hait <nabinhait@gmail.com> Co-authored-by: Prssanna Desai <prssud@gmail.com> Co-authored-by: Shivam Mishra <scmmishra@users.noreply.github.com> * style: Minor formatting fix * refactor: Validate and sanitize search inputs using decorator * fix: Typo * fix: Remove unwanted import statement * refactor: Repalce validate_and_sanitize_search_inputs() with validate_and_sanitize_search_inputs Co-authored-by: Prssanna Desai <prssud@gmail.com> Co-authored-by: Shivam Mishra <scmmishra@users.noreply.github.com> Co-authored-by: Prssanna Desai <prssud@gmail.com> Co-authored-by: Shivam Mishra <scmmishra@users.noreply.github.com> Co-authored-by: Nabin Hait <nabinhait@gmail.com>
2026-05-14 18:51:21 +00:00 · 2020-08-05 19:42:25 +05:30
parent 0c818927a5
commit 1923ef052c
35 changed files with 138 additions and 48 deletions
--- a/erpnext/projects/doctype/project/project.py
+++ b/erpnext/projects/doctype/project/project.py
@@ -239,6 +239,7 @@ def get_list_context(context=None):
 	}

@frappe.whitelist()
+@frappe.validate_and_sanitize_search_inputs
 def get_users_for_project(doctype, txt, searchfield, start, page_len, filters):
 	conditions = []
 	return frappe.db.sql("""select name, concat_ws(' ', first_name, middle_name, last_name)
--- a/erpnext/projects/doctype/task/task.py
+++ b/erpnext/projects/doctype/task/task.py
@@ -193,6 +193,7 @@ def check_if_child_exists(name):


@frappe.whitelist()
+@frappe.validate_and_sanitize_search_inputs
 def get_project(doctype, txt, searchfield, start, page_len, filters):
 	from erpnext.controllers.queries import get_match_cond
 	return frappe.db.sql(""" select name from `tabProject`
--- a/erpnext/projects/doctype/timesheet/timesheet.py
+++ b/erpnext/projects/doctype/timesheet/timesheet.py
@@ -214,6 +214,7 @@ def get_projectwise_timesheet_data(project, parent=None):
 			and sales_invoice is null""".format(cond), {'project': project, 'parent': parent}, as_dict=1)

@frappe.whitelist()
+@frappe.validate_and_sanitize_search_inputs
 def get_timesheet(doctype, txt, searchfield, start, page_len, filters):
 	if not filters: filters = {}

--- a/erpnext/projects/utils.py
+++ b/erpnext/projects/utils.py
@@ -7,6 +7,7 @@ from __future__ import unicode_literals
 import frappe

@frappe.whitelist()
+@frappe.validate_and_sanitize_search_inputs
 def query_task(doctype, txt, searchfield, start, page_len, filters):
 	from frappe.desk.reportview import build_match_conditions