From 4ac6347cc56fc556fd83e3789d1a3cecb30300ad Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Mon, 30 Mar 2026 09:52:17 +0000
Subject: [PATCH] fix(item_dashboard): escaping `warehouse`, `item_code`,
 `stock_uom` and `item_name` on `get_data` (backport #53904) (#53914)

Co-authored-by: diptanilsaha <diptanil@frappe.io>
fix(item_dashboard): escaping `warehouse`, `item_code`, `stock_uom` and `item_name` on `get_data` (#53904)
---
 erpnext/stock/dashboard/item_dashboard.py        | 8 +++++---
 erpnext/stock/dashboard/item_dashboard_list.html | 6 +++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/erpnext/stock/dashboard/item_dashboard.py b/erpnext/stock/dashboard/item_dashboard.py
index d77ed7a6212..5de54c55461 100644
--- a/erpnext/stock/dashboard/item_dashboard.py
+++ b/erpnext/stock/dashboard/item_dashboard.py
@@ -1,6 +1,6 @@
 import frappe
 from frappe.desk.reportview import build_match_conditions
-from frappe.utils import cint, flt
+from frappe.utils import cint, escape_html, flt
 
 from erpnext.stock.doctype.stock_reservation_entry.stock_reservation_entry import (
 	get_sre_reserved_qty_for_items_and_warehouses as get_reserved_stock_details,
@@ -70,8 +70,10 @@ def get_data(
 	for item in items:
 		item.update(
 			{
-				"item_name": frappe.get_cached_value("Item", item.item_code, "item_name"),
-				"stock_uom": frappe.get_cached_value("Item", item.item_code, "stock_uom"),
+				"item_code": escape_html(item.item_code),
+				"item_name": escape_html(frappe.get_cached_value("Item", item.item_code, "item_name")),
+				"stock_uom": escape_html(frappe.get_cached_value("Item", item.item_code, "stock_uom")),
+				"warehouse": escape_html(item.warehouse),
 				"disable_quick_entry": frappe.get_cached_value("Item", item.item_code, "has_batch_no")
 				or frappe.get_cached_value("Item", item.item_code, "has_serial_no"),
 				"projected_qty": flt(item.projected_qty, precision),
diff --git a/erpnext/stock/dashboard/item_dashboard_list.html b/erpnext/stock/dashboard/item_dashboard_list.html
index ae90ff80686..34d51814b2f 100644
--- a/erpnext/stock/dashboard/item_dashboard_list.html
+++ b/erpnext/stock/dashboard/item_dashboard_list.html
@@ -50,15 +50,15 @@
 					data-warehouse="{{ d.warehouse }}"
 					data-actual_qty="{{ d.actual_qty }}"
 					data-stock-uom="{{ d.stock_uom }}"
-					data-item="{{ escape(d.item_code) }}">{{ __("Move") }}</a>
+					data-item="{{ d.item_code }}">{{ __("Move") }}</button>
 				{% endif %}
 				<button style="margin-left: 7px;" class="btn btn-default btn-xs btn-add"
 					data-disable_quick_entry="{{ d.disable_quick_entry }}"
 					data-warehouse="{{ d.warehouse }}"
 					data-actual_qty="{{ d.actual_qty }}"
 					data-stock-uom="{{ d.stock_uom }}"
-					data-item="{{ escape(d.item_code) }}"
-					data-rate="{{ d.valuation_rate }}">{{ __("Add") }}</a>
+					data-item="{{ d.item_code }}"
+					data-rate="{{ d.valuation_rate }}">{{ __("Add") }}</button>
 			</div>
 			{% endif %}
 		</div>