diff --git a/.github/workflows/sync-hotfix-translations.yml b/.github/workflows/sync-hotfix-translations.yml index 5de1718413f..8fcd07e0ab2 100644 --- a/.github/workflows/sync-hotfix-translations.yml +++ b/.github/workflows/sync-hotfix-translations.yml @@ -16,6 +16,10 @@ on: - cron: "0 10 * * 1" workflow_dispatch: +# The runner dispatch uses RELEASE_TOKEN (a PAT), not the default GITHUB_TOKEN, +# so no GITHUB_TOKEN permissions are required. +permissions: {} + jobs: trigger-runners: name: Trigger sync → ${{ matrix.hotfix_branch }} diff --git a/erpnext/templates/includes/announcement/announcement_row.html b/erpnext/templates/includes/announcement/announcement_row.html index 3099441e344..1eda74784ca 100644 --- a/erpnext/templates/includes/announcement/announcement_row.html +++ b/erpnext/templates/includes/announcement/announcement_row.html @@ -24,10 +24,10 @@ if(content.length > show_char) { var c = content.substr(0, show_char) - var h = content.substr(show_char, content.length - show_char); - html = c + '  ...' - $(this).html(html); + // Set as text (not HTML) so DOM text isn't re-interpreted as + // markup (XSS). \u00a0 is a non-breaking space (same as  ). + $(this).text(c + '\u00a0\u00a0...'); } }); }); diff --git a/erpnext/templates/includes/projects/project_search_box.html b/erpnext/templates/includes/projects/project_search_box.html index d7466873dda..8bebd0be244 100644 --- a/erpnext/templates/includes/projects/project_search_box.html +++ b/erpnext/templates/includes/projects/project_search_box.html @@ -18,7 +18,7 @@ frappe.ready(function() { } var thread = null; function findResult(t) { - window.location.href="/projects?project={{doc.name}}&q=" + t; + window.location.href="/projects?project={{doc.name}}&q=" + encodeURIComponent(t); } $("#project-search").keyup(function() { diff --git a/erpnext/www/banking.py b/erpnext/www/banking.py index ce47c16dc28..eebfebe2474 100644 --- a/erpnext/www/banking.py +++ b/erpnext/www/banking.py @@ -8,8 +8,8 @@ from frappe.utils.jinja_globals import is_rtl no_cache = 1 -SCRIPT_TAG_PATTERN = re.compile(r"\") -CLOSING_SCRIPT_TAG_PATTERN = re.compile(r"") +SCRIPT_TAG_PATTERN = re.compile(r"\", re.IGNORECASE) +CLOSING_SCRIPT_TAG_PATTERN = re.compile(r"", re.IGNORECASE) def get_context(context):