refactor: escape instead of sanitizing HTML (#22339) (#22340)

Traceback if it contains HTML can be useful, better to escape and show instead of modifying it. (cherry picked from commit 4a5e584) Co-authored-by: Ankush Menat <ankush@frappe.io>
frappe · Sep 10, 2023 · 3dc5d2f · 3dc5d2f
1 parent e6dabc7
commit 3dc5d2f
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/frappe/app.py b/frappe/app.py
@@ -25,7 +25,7 @@
 from frappe import _
 from frappe.core.doctype.comment.comment import update_comments_in_parent_after_request
 from frappe.middlewares import StaticDataMiddleware
-from frappe.utils import get_site_name, sanitize_html
+from frappe.utils import escape_html, get_site_name
 from frappe.utils.error import make_error_snapshot
 
 local_manager = LocalManager([frappe.local])
@@ -283,7 +283,7 @@ def handle_exception(e):
 		response = frappe.rate_limiter.respond()
 
 	else:
-		traceback = "<pre>" + sanitize_html(frappe.get_traceback()) + "</pre>"
+		traceback = "<pre>" + escape_html(frappe.get_traceback()) + "</pre>"
 		# disable traceback in production if flag is set
 		if frappe.local.flags.disable_traceback and not frappe.local.dev_server:
 			traceback = ""