From 38bc5d69cdeccbd1030fcac72831e0eb36e92a72 Mon Sep 17 00:00:00 2001
From: diptanilsaha <diptanil@frappe.io>
Date: Wed, 25 Mar 2026 14:46:50 +0530
Subject: [PATCH] fix(templates): escape attachment `file_url` and `file_name`
 in `order.html` and `projects.html`

(cherry picked from commit d9760bbf4f539628540f0b8f6a6706b0ca09f4f1)
---
 erpnext/templates/pages/order.html    | 2 +-
 erpnext/templates/pages/projects.html | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/erpnext/templates/pages/order.html b/erpnext/templates/pages/order.html
index 0805a32ae33..5563a58b730 100644
--- a/erpnext/templates/pages/order.html
+++ b/erpnext/templates/pages/order.html
@@ -140,7 +140,7 @@
 				<div class="col-sm-12">
 					{% for attachment in attachments %}
 					<p class="small">
-						<a href="{{ attachment.file_url }}" target="blank"> {{ attachment.file_name }} </a>
+						<a href="{{ attachment.file_url|e }}" target="blank"> {{ attachment.file_name|e }} </a>
 					</p>
 					{% endfor %}
 				</div>
diff --git a/erpnext/templates/pages/projects.html b/erpnext/templates/pages/projects.html
index d88088c9819..6527036bb22 100644
--- a/erpnext/templates/pages/projects.html
+++ b/erpnext/templates/pages/projects.html
@@ -82,11 +82,11 @@
     <div class="project-attachments">
       {% for attachment in doc.attachments %}
         <div class="attachment">
-          <a class="no-decoration attachment-link" href="{{ attachment.file_url }}" target="blank">
+          <a class="no-decoration attachment-link" href="{{ attachment.file_url|e }}" target="blank">
             <div class="row">
               <div class="col-xs-9">
                 <span class="indicator red file-name">
-                  {{ attachment.file_name }}</span>
+                  {{ attachment.file_name|e }}</span>
               </div>
               <div class="col-xs-3">
                 <span class="pull-right file-size">{{ attachment.file_size }}</span>