fix: minor improvements to web templates, banking page and CI workflow (#55525)

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

.github/workflows/sync-hotfix-translations.yml

@@ -16,6 +16,10 @@ on:
     - cron: "0 10 * * 1"
   workflow_dispatch:
 
+# The runner dispatch uses RELEASE_TOKEN (a PAT), not the default GITHUB_TOKEN,
+# so no GITHUB_TOKEN permissions are required.
+permissions: {}
+
 jobs:
   trigger-runners:
     name: Trigger sync → ${{ matrix.hotfix_branch }}

erpnext/templates/includes/announcement/announcement_row.html

@@ -24,10 +24,10 @@
 			if(content.length > show_char) {
 
 				var c = content.substr(0, show_char)
-				var h = content.substr(show_char, content.length - show_char);
 
-				html = c + '  ...'
-				$(this).html(html);
+				// Set as text (not HTML) so DOM text isn't re-interpreted as
+				// markup (XSS). \u00a0 is a non-breaking space (same as  ).
+				$(this).text(c + '\u00a0\u00a0...');
 			}
 		});
 	});

erpnext/templates/includes/projects/project_search_box.html

@@ -18,7 +18,7 @@ frappe.ready(function() {
 	}
 	var thread = null;
 	function findResult(t) {
-		window.location.href="/projects?project={{doc.name}}&q=" + t;
+		window.location.href="/projects?project={{doc.name}}&q=" + encodeURIComponent(t);
 	}
 
 	$("#project-search").keyup(function() {

erpnext/www/banking.py

@@ -8,8 +8,8 @@ from frappe.utils.jinja_globals import is_rtl
 
 no_cache = 1
 
-SCRIPT_TAG_PATTERN = re.compile(r"\<script[^<]*\</script\>")
-CLOSING_SCRIPT_TAG_PATTERN = re.compile(r"</script\>")
+SCRIPT_TAG_PATTERN = re.compile(r"\<script[^<]*\</script\>", re.IGNORECASE)
+CLOSING_SCRIPT_TAG_PATTERN = re.compile(r"</script\>", re.IGNORECASE)
 
 
 def get_context(context):