Merge pull request #53780 from frappe/mergify/bp/version-15-hotfix/pr-53779

fix(template): escape attachment `file_url` and `file_name` and jinja syntax (backport #53779)
2026-04-11 19:05:08 +00:00 · 2026-03-25 15:20:01 +05:30
parent 64956ab59c 979c594e98
commit 40c8201302
2 changed files with 5 additions and 5 deletions
--- a/erpnext/templates/pages/order.html
+++ b/erpnext/templates/pages/order.html
@@ -140,7 +140,7 @@
 				<div class="col-sm-12">
 					{% for attachment in attachments %}
 					<p class="small">
-						<a href="{{ attachment.file_url }}" target="blank"> {{ attachment.file_name }} </a>
+						<a href="{{ attachment.file_url|e }}" target="blank"> {{ attachment.file_name|e }} </a>
 					</p>
 					{% endfor %}
 				</div>
--- a/erpnext/templates/pages/projects.html
+++ b/erpnext/templates/pages/projects.html
@@ -82,11 +82,11 @@
    <div class="project-attachments">
      {% for attachment in doc.attachments %}
        <div class="attachment">
-          <a class="no-decoration attachment-link" href="{{ attachment.file_url }}" target="blank">
+          <a class="no-decoration attachment-link" href="{{ attachment.file_url|e }}" target="blank">
            <div class="row">
              <div class="col-xs-9">
                <span class="indicator red file-name">
-                  {{ attachment.file_name }}</span>
+                  {{ attachment.file_name|e }}</span>
              </div>
              <div class="col-xs-3">
                <span class="pull-right file-size">{{ attachment.file_size }}</span>
@@ -101,8 +101,8 @@
 </div>

 <script>
-  { % include "frappe/public/js/frappe/provide.js" % }
-  { % include "frappe/public/js/frappe/form/formatters.js" % }
+  {% include "frappe/public/js/frappe/provide.js" %}
+  {% include "frappe/public/js/frappe/form/formatters.js" %}
 </script>

 {% endblock %}