From ddeb9775ed24b62abe571c404564fddf1eb2e48a Mon Sep 17 00:00:00 2001
From: diptanilsaha <diptanil@frappe.io>
Date: Mon, 30 Mar 2026 13:16:33 +0530
Subject: [PATCH] fix(warehouse_capacity_dashboard): escaping `warehouse`,
 `item_code` and `company` on `get_data` (#53894)

---
 erpnext/stock/dashboard/warehouse_capacity_dashboard.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/erpnext/stock/dashboard/warehouse_capacity_dashboard.py b/erpnext/stock/dashboard/warehouse_capacity_dashboard.py
index cbebc99ba55..1d550010315 100644
--- a/erpnext/stock/dashboard/warehouse_capacity_dashboard.py
+++ b/erpnext/stock/dashboard/warehouse_capacity_dashboard.py
@@ -1,6 +1,6 @@
 import frappe
 from frappe.desk.reportview import build_match_conditions
-from frappe.utils import flt, nowdate
+from frappe.utils import escape_html, flt, nowdate
 
 from erpnext.stock.utils import get_stock_balance
 
@@ -75,6 +75,9 @@ def get_warehouse_capacity_data(filters, start):
 		balance_qty = get_stock_balance(entry.item_code, entry.warehouse, nowdate()) or 0
 		entry.update(
 			{
+				"warehouse": escape_html(entry.warehouse),
+				"item_code": escape_html(entry.item_code),
+				"company": escape_html(entry.company),
 				"actual_qty": balance_qty,
 				"percent_occupied": flt((flt(balance_qty) / flt(entry.stock_capacity)) * 100, 0),
 			}