From 68ad9cfa6758ee2e07914a9f04dc4523e79f97d0 Mon Sep 17 00:00:00 2001
From: Sagar Vora <sagar@resilient.tech>
Date: Thu, 30 Mar 2023 11:52:53 +0530
Subject: [PATCH] fix: escape HTML instead of sanitizing

(cherry picked from commit a56ea73b7d048c1536bc9957ba6e9cde2d1ddc3f)
---
 frappe/www/printview.py | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/frappe/www/printview.py b/frappe/www/printview.py
index 3e6bc735cab..d5514870da0 100644
--- a/frappe/www/printview.py
+++ b/frappe/www/printview.py
@@ -15,7 +15,7 @@
 from frappe.core.doctype.access_log.access_log import make_access_log
 from frappe.core.doctype.document_share_key.document_share_key import is_expired
 from frappe.modules import get_doc_path
-from frappe.utils import cint, sanitize_html, strip_html
+from frappe.utils import cint, escape_html, strip_html
 from frappe.utils.jinja import is_rtl
 
 no_cache = 1
@@ -28,12 +28,11 @@ def get_context(context):
 	"""Build context for print"""
 	if not ((frappe.form_dict.doctype and frappe.form_dict.name) or frappe.form_dict.doc):
 		return {
-			"body": sanitize_html(
-				"""<h1>Error</h1>
+			"body": f"""
+				<h1>Error</h1>
 				<p>Parameters doctype and name required</p>
-				<pre>%s</pre>"""
-				% repr(frappe.form_dict)
-			)
+				<pre>{escape_html(frappe.as_json(frappe.form_dict, indent=2))}</pre>
+				"""
 		}
 
 	if frappe.form_dict.doc: