From f01f7e7974149f64bd7622d0752cb5673704354b Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Mon, 30 Mar 2026 13:48:25 +0530
Subject: [PATCH] fix(warehouse_capacity_dashboard): escaping `warehouse`,
 `item_code` and `company` on `get_data` (backport #53894) (#53900)

Co-authored-by: diptanilsaha <diptanil@frappe.io>
fix(warehouse_capacity_dashboard): escaping `warehouse`, `item_code` and `company` on `get_data` (#53894)
---
 erpnext/stock/dashboard/warehouse_capacity_dashboard.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/erpnext/stock/dashboard/warehouse_capacity_dashboard.py b/erpnext/stock/dashboard/warehouse_capacity_dashboard.py
index 75b2951e30b..39701ed3f0d 100644
--- a/erpnext/stock/dashboard/warehouse_capacity_dashboard.py
+++ b/erpnext/stock/dashboard/warehouse_capacity_dashboard.py
@@ -1,6 +1,6 @@
 import frappe
 from frappe.desk.reportview import build_match_conditions
-from frappe.utils import flt, nowdate
+from frappe.utils import escape_html, flt, nowdate
 
 from erpnext.stock.utils import get_stock_balance
 
@@ -75,6 +75,9 @@ def get_warehouse_capacity_data(filters, start):
 		balance_qty = get_stock_balance(entry.item_code, entry.warehouse, nowdate()) or 0
 		entry.update(
 			{
+				"warehouse": escape_html(entry.warehouse),
+				"item_code": escape_html(entry.item_code),
+				"company": escape_html(entry.company),
 				"actual_qty": balance_qty,
 				"percent_occupied": flt((flt(balance_qty) / flt(entry.stock_capacity)) * 100, 0),
 			}