fix(send_message): escape HTML in the text

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
2025-02-19 12:23:10 +05:30
parent 5fed3866b6
commit 448a5db20f
1 changed files with 3 additions and 0 deletions
--- a/erpnext/templates/utils.py
+++ b/erpnext/templates/utils.py
@@ -3,6 +3,7 @@


 import frappe
+from frappe.utils import escape_html


@frappe.whitelist(allow_guest=True)
@@ -11,6 +12,8 @@ def send_message(sender, message, subject="Website Query"):

 	website_send_message(sender, message, subject)

+	message = escape_html(message)
+
 	lead = customer = None
 	customer = frappe.db.sql(
 		"""select distinct dl.link_name from `tabDynamic Link` dl