Merge pull request #46003 from akhilnarang/fix-xss

fix(send_message): escape HTML in the text
2026-04-13 11:55:11 +00:00 · 2025-02-19 16:14:19 +05:30
parent 8e42764274 448a5db20f
commit a1cbcda4c5
1 changed files with 3 additions and 0 deletions
--- a/erpnext/templates/utils.py
+++ b/erpnext/templates/utils.py
@@ -3,6 +3,7 @@


 import frappe
+from frappe.utils import escape_html


@frappe.whitelist(allow_guest=True)
@@ -11,6 +12,8 @@ def send_message(sender, message, subject="Website Query"):

 	website_send_message(sender, message, subject)

+	message = escape_html(message)
+
 	lead = customer = None
 	customer = frappe.db.sql(
 		"""select distinct dl.link_name from `tabDynamic Link` dl