fix: escape user image url on various templates (backport #56269) (#56271)

Co-authored-by: Diptanil Saha <diptanil@frappe.io> fix: escape user image url on various templates (#56269)
2026-06-25 20:08:34 +00:00 · 2026-06-22 03:00:39 +05:30
parent f3307b3ca9
commit 3b734f4d5d
4 changed files with 4 additions and 4 deletions
--- a/erpnext/templates/emails/daily_project_summary.html
+++ b/erpnext/templates/emails/daily_project_summary.html
@@ -10,7 +10,7 @@
 		<td width="15"></td>
 		<td valign="top" width="24">
 			{% if user.image %}
-			<img class="sender-avatar" width="24" height="24" embed="{{ user.image }}"/>
+			<img class="sender-avatar" width="24" height="24" embed="{{ user.image | e }}"/>
 			{% else %}
 			<div class="sender-avatar-placeholder">
 				{{ user.full_name[0] }}
--- a/erpnext/templates/includes/projects/project_row.html
+++ b/erpnext/templates/includes/projects/project_row.html
@@ -34,7 +34,7 @@
              ], as_dict = True) %}
            {% if user_details.user_image %}
              <span class="avatar avatar-small" style="width:32px; height:32px;" title="{{ user_details.full_name }}">
-                <img src="{{ user_details.user_image }}">
+                <img src="{{ user_details.user_image | e }}">
              </span>
            {% else %}
              <span class="avatar avatar-small" style="width:32px; height:32px;" title="{{ user_details.full_name }}">
--- a/erpnext/templates/includes/projects/project_tasks.html
+++ b/erpnext/templates/includes/projects/project_tasks.html
@@ -27,7 +27,7 @@
 		as_dict = True)%}
        {% if user_details.user_image %}
          <span class="avatar avatar-small" style="width:32px; height:32px;" title="{{ user_details.full_name }}">
-            <img src="{{ user_details.user_image }}">
+            <img src="{{ user_details.user_image | e }}">
          </span>
        {% else %}
          <span class="avatar avatar-small" style="width:32px; height:32px;" title="{{ user_details.full_name }}">
--- a/erpnext/templates/includes/projects/project_timesheets.html
+++ b/erpnext/templates/includes/projects/project_timesheets.html
@@ -15,7 +15,7 @@
 		    %}
        {% if user_details.user_image %}
          <span class="avatar avatar-small" style="width:32px; height:32px;" title="{{ user_details.full_name }}">
-            <img src="{{ user_details.user_image }}">
+            <img src="{{ user_details.user_image | e }}">
          </span>
        {% else %}
          <span class="avatar avatar-small" style="width:32px; height:32px;" title="{{ user_details.full_name }}">