Skip to content

Commit

Permalink
fix: escape HTML instead of sanitizing
Browse files Browse the repository at this point in the history
(cherry picked from commit a56ea73)
  • Loading branch information
sagarvora committed Mar 30, 2023
1 parent 1545fbd commit 68ad9cf
Showing 1 changed file with 5 additions and 6 deletions.
11 changes: 5 additions & 6 deletions frappe/www/printview.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
from frappe.core.doctype.access_log.access_log import make_access_log
from frappe.core.doctype.document_share_key.document_share_key import is_expired
from frappe.modules import get_doc_path
from frappe.utils import cint, sanitize_html, strip_html
from frappe.utils import cint, escape_html, strip_html
from frappe.utils.jinja import is_rtl

no_cache = 1
Expand All @@ -28,12 +28,11 @@ def get_context(context):
"""Build context for print"""
if not ((frappe.form_dict.doctype and frappe.form_dict.name) or frappe.form_dict.doc):
return {
"body": sanitize_html(
"""<h1>Error</h1>
"body": f"""
<h1>Error</h1>
<p>Parameters doctype and name required</p>
<pre>%s</pre>"""
% repr(frappe.form_dict)
)
<pre>{escape_html(frappe.as_json(frappe.form_dict, indent=2))}</pre>
"""
}

if frappe.form_dict.doc:
Expand Down

0 comments on commit 68ad9cf

Please sign in to comment.