fix: Add likely missing escapes (backport #55574) (#55580)

* fix: Add likely missing escaps (#55574) (cherry picked from commit b72cde73ba) # Conflicts: # erpnext/accounts/doctype/budget/budget.py # erpnext/controllers/website_list_for_contact.py * chore: conflicts --------- Co-authored-by: Ankush Menat <ankush@frappe.io>
2026-06-28 13:28:35 +00:00 · 2026-06-18 11:32:54 +00:00
parent f3334eb2d3
commit ce8fce78f1
10 changed files with 44 additions and 27 deletions
--- a/erpnext/accounts/doctype/budget/budget.py
+++ b/erpnext/accounts/doctype/budget/budget.py
@@ -425,11 +425,11 @@ def get_ordered_amount(args):


 def get_other_condition(args, for_doc):
-	condition = "expense_account = '%s'" % (args.expense_account)
+	condition = f"expense_account = {frappe.db.escape(args.expense_account)}"
 	budget_against_field = args.get("budget_against_field")

 	if budget_against_field and args.get(budget_against_field):
-		condition += f" and child.{budget_against_field} = '{args.get(budget_against_field)}'"
+		condition += f" and child.{budget_against_field} = {frappe.db.escape(args.get(budget_against_field))}"

 	if args.get("fiscal_year"):
 		date_field = "schedule_date" if for_doc == "Material Request" else "transaction_date"
@@ -437,8 +437,7 @@ def get_other_condition(args, for_doc):
 			"Fiscal Year", args.get("fiscal_year"), ["year_start_date", "year_end_date"]
 		)

-		condition += f""" and parent.{date_field}
-			between '{start_date}' and '{end_date}' """
+	condition += f" and parent.{date_field} between {frappe.db.escape(str(start_date))} and {frappe.db.escape(str(end_date))}"

 	return condition

--- a/erpnext/accounts/doctype/journal_entry/journal_entry.py
+++ b/erpnext/accounts/doctype/journal_entry/journal_entry.py
@@ -1184,7 +1184,11 @@ class JournalEntry(AccountsController):
 		self.validate_total_debit_and_credit()

 	def get_values(self):
-		cond = f" and outstanding_amount <= {self.write_off_amount}" if flt(self.write_off_amount) > 0 else ""
+		cond = (
+			f" and outstanding_amount <= {flt(self.write_off_amount)}"
+			if flt(self.write_off_amount) > 0
+			else ""
+		)

 		if self.write_off_based_on == "Accounts Receivable":
 			return frappe.db.sql(
--- a/erpnext/bulk_transaction/doctype/bulk_transaction_log/bulk_transaction_log.py
+++ b/erpnext/bulk_transaction/doctype/bulk_transaction_log/bulk_transaction_log.py
@@ -31,7 +31,8 @@ class BulkTransactionLog(Document):
 		log_detail = qb.DocType("Bulk Transaction Log Detail")

 		has_records = frappe.db.sql(
-			f"select exists (select * from `tabBulk Transaction Log Detail` where date = '{self.name}');"
+			"select exists (select * from `tabBulk Transaction Log Detail` where date = %s);",
+			(self.name,),
 		)[0][0]
 		if not has_records:
 			raise frappe.DoesNotExistError
--- a/erpnext/controllers/status_updater.py
+++ b/erpnext/controllers/status_updater.py
@@ -394,9 +394,9 @@ class StatusUpdater(Document):
 		for args in self.status_updater:
 			# condition to include current record (if submit or no if cancel)
 			if self.docstatus == 1:
-				args["cond"] = " or parent='%s'" % self.name.replace('"', '"')
+				args["cond"] = " or parent=%s" % frappe.db.escape(self.name)
 			else:
-				args["cond"] = " and parent!='%s'" % self.name.replace('"', '"')
+				args["cond"] = " and parent!=%s" % frappe.db.escape(self.name)

 			self._update_children(args, update_modified)

@@ -426,9 +426,10 @@ class StatusUpdater(Document):
 				args["second_source_condition"] = frappe.db.sql(
 					""" select ifnull((select sum({second_source_field})
 					from `tab{second_source_dt}`
-					where `{second_join_field}`='{detail_id}'
+					where `{second_join_field}`=%(detail_id)s
 					and (`tab{second_source_dt}`.docstatus=1)
-					{second_source_extra_cond}), 0) """.format(**args)
+					{second_source_extra_cond}), 0) """.format(**args),
+					{"detail_id": args["detail_id"]},
 				)[0][0]

 			if args["detail_id"]:
@@ -439,9 +440,10 @@ class StatusUpdater(Document):
 					frappe.db.sql(
 						"""
 						(select ifnull(sum({source_field}), 0)
-							from `tab{source_dt}` where `{join_field}`='{detail_id}'
+							from `tab{source_dt}` where `{join_field}`=%(detail_id)s
 							and (docstatus=1 {cond}) {extra_cond})
-				""".format(**args)
+				""".format(**args),
+						{"detail_id": args["detail_id"]},
 					)[0][0]
 					or 0.0
 				)
@@ -452,7 +454,8 @@ class StatusUpdater(Document):
 				frappe.db.sql(
 					"""update `tab{target_dt}`
 					set {target_field} = {source_dt_value} {update_modified}
-					where name='{detail_id}'""".format(**args)
+					where name=%(detail_id)s""".format(**args),
+					{"detail_id": args["detail_id"]},
 				)

 	def _update_percent_field_in_targets(self, args, update_modified=True):
--- a/erpnext/controllers/website_list_for_contact.py
+++ b/erpnext/controllers/website_list_for_contact.py
@@ -7,7 +7,7 @@ import json
 import frappe
 from frappe import _
 from frappe.modules.utils import get_module_app
-from frappe.utils import flt, has_common
+from frappe.utils import cint, flt, has_common
 from frappe.utils.user import is_website_user


--- a/erpnext/selling/report/inactive_customers/inactive_customers.py
+++ b/erpnext/selling/report/inactive_customers/inactive_customers.py
@@ -14,6 +14,9 @@ def execute(filters=None):
 	days_since_last_order = filters.get("days_since_last_order")
 	doctype = filters.get("doctype")

+	if doctype not in ("Sales Order", "Sales Invoice"):
+		frappe.throw(_("Invalid value {0} for 'Doctype'").format(doctype))
+
 	if cint(days_since_last_order) <= 0:
 		frappe.throw(_("'Days Since Last Order' must be greater than or equal to zero"))

--- a/erpnext/selling/report/sales_analytics/sales_analytics.py
+++ b/erpnext/selling/report/sales_analytics/sales_analytics.py
@@ -427,14 +427,16 @@ class Analytics:
 				break

 	def get_groups(self):
-		if self.filters.tree_type == "Territory":
-			parent = "parent_territory"
-		if self.filters.tree_type == "Customer Group":
-			parent = "parent_customer_group"
-		if self.filters.tree_type == "Item Group":
-			parent = "parent_item_group"
-		if self.filters.tree_type == "Supplier Group":
-			parent = "parent_supplier_group"
+		parent_field_map = {
+			"Territory": "parent_territory",
+			"Customer Group": "parent_customer_group",
+			"Item Group": "parent_item_group",
+			"Supplier Group": "parent_supplier_group",
+		}
+		if self.filters.tree_type not in parent_field_map:
+			frappe.throw(_("Invalid Tree Type {0}").format(self.filters.tree_type))
+
+		parent = parent_field_map[self.filters.tree_type]

 		self.depth_map = frappe._dict()

@@ -453,6 +455,9 @@ class Analytics:
 	def get_teams(self):
 		self.depth_map = frappe._dict()

+		if not frappe.db.exists("DocType", self.filters.doc_type):
+			frappe.throw(_("Invalid Document Type {0}").format(self.filters.doc_type))
+
 		self.group_entries = frappe.db.sql(
 			f""" select * from (select "Order Types" as name, 0 as lft,
 			2 as rgt, '' as parent union select distinct order_type as name, 1 as lft, 1 as rgt, "Order Types" as parent
--- a/erpnext/setup/doctype/authorization_control/authorization_control.py
+++ b/erpnext/setup/doctype/authorization_control/authorization_control.py
@@ -120,7 +120,9 @@ class AuthorizationControl(TransactionBase):
 		if val == 1:
 			add_cond += " and system_user = {}".format(frappe.db.escape(session["user"]))
 		elif val == 2:
-			add_cond += " and system_role IN %s" % ("('" + "','".join(frappe.get_roles()) + "')")
+			add_cond += " and system_role IN (%s)" % ", ".join(
+				frappe.db.escape(r) for r in frappe.get_roles()
+			)
 		else:
 			add_cond += " and ifnull(system_user,'') = '' and ifnull(system_role,'') = ''"

@@ -203,8 +205,8 @@ class AuthorizationControl(TransactionBase):
 			and docstatus != 2
 		""".format(
 					"%s",
-					"'" + "','".join(frappe.get_roles()) + "'",
-					"'" + "','".join(final_based_on) + "'",
+					", ".join(frappe.db.escape(r) for r in frappe.get_roles()),
+					", ".join(frappe.db.escape(b) for b in final_based_on),
 					"%s",
 				),
 				(doctype_name, company),
--- a/erpnext/stock/doctype/material_request/material_request.py
+++ b/erpnext/stock/doctype/material_request/material_request.py
@@ -209,7 +209,7 @@ class MaterialRequest(BuyingController):

 	def check_modified_date(self):
 		mod_db = frappe.db.sql("""select modified from `tabMaterial Request` where name = %s""", self.name)
-		date_diff = frappe.db.sql(f"""select TIMEDIFF('{mod_db[0][0]}', '{cstr(self.modified)}')""")
+		date_diff = frappe.db.sql("""select TIMEDIFF(%s, %s)""", (mod_db[0][0], cstr(self.modified)))

 		if date_diff and date_diff[0][0]:
 			frappe.throw(_("{0} {1} has been modified. Please refresh.").format(_(self.doctype), self.name))
--- a/erpnext/stock/stock_balance.py
+++ b/erpnext/stock/stock_balance.py
@@ -283,7 +283,7 @@ def set_stock_balance_as_per_serial_no(
 	if not posting_time:
 		posting_time = nowtime()

-	condition = " and item.name='%s'" % item_code.replace("'", "'") if item_code else ""
+	condition = " and item.name=%s" % frappe.db.escape(item_code, percent=False) if item_code else ""

 	bin = frappe.db.sql(
 		"""select bin.item_code, bin.warehouse, bin.actual_qty, item.stock_uom