From cbec989a7cdf15be0367e8d1b1d52ebeefc928f3 Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Wed, 19 Feb 2025 12:23:10 +0530
Subject: [PATCH] fix(send_message): escape HTML in the text

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
(cherry picked from commit 448a5db20f2959fd6ce809a8894d32c8345a76fc)
---
 erpnext/templates/utils.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/erpnext/templates/utils.py b/erpnext/templates/utils.py
index 57750a56f6f..15af9f0f014 100644
--- a/erpnext/templates/utils.py
+++ b/erpnext/templates/utils.py
@@ -3,6 +3,7 @@
 
 
 import frappe
+from frappe.utils import escape_html
 
 
 @frappe.whitelist(allow_guest=True)
@@ -11,6 +12,8 @@ def send_message(sender, message, subject="Website Query"):
 
 	website_send_message(sender, message, subject)
 
+	message = escape_html(message)
+
 	lead = customer = None
 	customer = frappe.db.sql(
 		"""select distinct dl.link_name from `tabDynamic Link` dl