From 13de5fa8238f6bdc1018b2773c5899678138e5d8 Mon Sep 17 00:00:00 2001
From: Aditya Hase <aditya@adityahase.com>
Date: Wed, 30 Jan 2019 14:16:54 +0530
Subject: [PATCH 1/8] fix(search): Fix possible reflected XSS attack vector
 (#6856)

---
 frappe/templates/includes/search_template.html | 6 +++---
 frappe/www/search.html                         | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/frappe/templates/includes/search_template.html b/frappe/templates/includes/search_template.html
index b8a4737c6f..304d85aad9 100644
--- a/frappe/templates/includes/search_template.html
+++ b/frappe/templates/includes/search_template.html
@@ -23,8 +23,8 @@
 	<form action='{{ route }}'>
 	<input name='q' class='form-control' type='text'
 		style='max-width: 400px; display: inline-block; margin-right: 10px;'
-		value='{{ frappe.form_dict.q or ''}}'
-		{% if not frappe.form_dict.q%}placeholder="{{ _("Search...") }}"{% endif %}>
+		value='{{ query or ''}}'
+		{% if not query %}placeholder="{{ _("Search...") }}"{% endif %}>
 	<input type='submit'
 		class='btn btn-sm btn-primary btn-search' value="{{ _("Search") }}">
 	</form>
@@ -41,7 +41,7 @@
 		{% endfor %}
 	</div>
 
-{% elif frappe.form_dict.q %}
+{% elif query %}
 	<p class='text-muted'>{{ _("No matching records. Search something new") }}
 {% else %}
 	<p class='text-muted'>{{ _("Type something in the search box to search") }}
diff --git a/frappe/www/search.html b/frappe/www/search.html
index b131d14bdf..589fc03c47 100644
--- a/frappe/www/search.html
+++ b/frappe/www/search.html
@@ -10,7 +10,7 @@ frappe.ready(function() {
 		frappe.call({
 			method: 'frappe.www.search.get_search_results',
 			args: {
-				text: '{{ frappe.form_dict.q }}',
+				text: '{{ query }}',
 				start: $('.search-result-item').length,
 				as_html: 1
 			},

From 5ac851e4204bf2d7ac409b13afd64a9843f3c37b Mon Sep 17 00:00:00 2001
From: Robert <robertkirschner@yahoo.com>
Date: Wed, 30 Jan 2019 13:10:15 +0100
Subject: [PATCH 2/8] fix: frappe.throw of 'Invalid Password:' not translatable
 on update-password page (#6725)

* [Fix] throw 'Invalid Password:' when checking password strongness

* Update __init__.py
---
 frappe/core/doctype/user/user.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frappe/core/doctype/user/user.py b/frappe/core/doctype/user/user.py
index 3d1a803e4d..5a08f51df1 100644
--- a/frappe/core/doctype/user/user.py
+++ b/frappe/core/doctype/user/user.py
@@ -930,7 +930,7 @@ def handle_password_test_fail(result):
 	suggestions = result['feedback']['suggestions'][0] if result['feedback']['suggestions'] else ''
 	warning = result['feedback']['warning'] if 'warning' in result['feedback'] else ''
 	suggestions += "<br>" + _("Hint: Include symbols, numbers and capital letters in the password") + '<br>'
-	frappe.throw(_('Invalid Password: ' + ' '.join([warning, suggestions])))
+	frappe.throw(' '.join([_('Invalid Password:'), warning, suggestions]))
 
 def update_gravatar(name):
 	gravatar = has_gravatar(name)

From e3952cb1998688b21d822cd320971432f5ca83aa Mon Sep 17 00:00:00 2001
From: Nabin Hait <nabinhait@gmail.com>
Date: Wed, 30 Jan 2019 18:34:41 +0530
Subject: [PATCH 3/8] fix: Better data import error log (#6862)

---
 .../core/doctype/data_import/data_import.py   |  2 ++
 frappe/core/doctype/data_import/importer.py   | 19 ++++++++++++++++---
 .../core/doctype/data_import/log_details.html |  6 +++---
 3 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/frappe/core/doctype/data_import/data_import.py b/frappe/core/doctype/data_import/data_import.py
index 02624cdf65..3ca154c384 100644
--- a/frappe/core/doctype/data_import/data_import.py
+++ b/frappe/core/doctype/data_import/data_import.py
@@ -34,8 +34,10 @@ def import_data(data_import):
 	frappe.db.set_value("Data Import", data_import, "import_status", "In Progress", update_modified=False)
 	frappe.publish_realtime("data_import_progress", {"progress": "0",
 		"data_import": data_import, "reload": True}, user=frappe.session.user)
+
 	from frappe.core.page.background_jobs.background_jobs import get_info
 	enqueued_jobs = [d.get("job_name") for d in get_info()]
+
 	if data_import not in enqueued_jobs:
 		enqueue(upload, queue='default', timeout=6000, event='data_import', job_name=data_import,
 			data_import_doc=data_import, from_data_import="Yes", user=frappe.session.user)
diff --git a/frappe/core/doctype/data_import/importer.py b/frappe/core/doctype/data_import/importer.py
index fe9fe77955..4ab7c3a10c 100644
--- a/frappe/core/doctype/data_import/importer.py
+++ b/frappe/core/doctype/data_import/importer.py
@@ -427,15 +427,28 @@ def upload(rows = None, submit_after_import=None, ignore_encoding_errors=False,
 
 			except Exception as e:
 				error_flag = True
-				err_msg = frappe.local.message_log and "\n".join([json.loads(msg).get('message') for msg in frappe.local.message_log]) or cstr(e)
+
+				# build error message
+				if frappe.local.message_log:
+					err_msg = "\n".join(['<p class="border-bottom small">{}</p>'.format(json.loads(msg).get('message')) for msg in frappe.local.message_log])
+				else:
+					err_msg = '<p class="border-bottom small">{}</p>'.format(cstr(e))
+
 				error_trace = frappe.get_traceback()
 				if error_trace:
 					error_log_doc = frappe.log_error(error_trace)
 					error_link = get_url_to_form("Error Log", error_log_doc.name)
 				else:
 					error_link = None
-				log(**{"row": row_idx + 1, "title":'Error for row %s' % (len(row)>1 and frappe.safe_decode(row[1]) or ""), "message": err_msg,
-					"indicator": "red", "link":error_link})
+
+				log(**{
+					"row": row_idx + 1,
+					"title": 'Error for row %s' % (len(row)>1 and frappe.safe_decode(row[1]) or ""),
+					"message": err_msg,
+					"indicator": "red",
+					"link":error_link
+				})
+
 				# data with error to create a new file
 				# include the errored data in the last row as last_error_row_idx will not be updated for the last row
 				if skip_errors:
diff --git a/frappe/core/doctype/data_import/log_details.html b/frappe/core/doctype/data_import/log_details.html
index ae6c02ac04..aa160a742b 100644
--- a/frappe/core/doctype/data_import/log_details.html
+++ b/frappe/core/doctype/data_import/log_details.html
@@ -6,19 +6,19 @@
 					<th style="width:40%"> {{ __("Row Status") }} </th>
 					<th style="width:50%"> {{ __("Message") }} </th>
 				</tr>
-			
+
 			{% for row in data %}
 				{% if (!show_only_errors) || (show_only_errors && row.indicator == "red") %}
 				<tr>
 					<td>
-						<span>{{ row.row }} </span> 
+						<span>{{ row.row }} </span>
 					</td>
 					<td>
 						<span class="indicator {{ row.indicator }}"> {{ row.title }} </span>
 					</td>
 					<td>
 						{% if (import_status != "Failed" || (row.indicator == "red")) { %}
-							<span> {{ row.message }} </span>
+							<div>{{ row.message }}</div>
 							{% if row.link %}
 								<span style="width: 10%; float:right;">
 									<a class="btn-open no-decoration" title="Open Link" href="{{ row.link }}">

From 42ec843b243aa5825c06670ac970e8d2f0eea9b3 Mon Sep 17 00:00:00 2001
From: Kartik Sharma <kartiksharma9319@gmail.com>
Date: Wed, 30 Jan 2019 18:41:12 +0530
Subject: [PATCH 4/8] fix: Print Format Builder not working unexpected string 
 (#6861)

* Fix Print Format Builder

* fix: add *working* fallback

* fix: keep quotes around attr value
---
 .../page/print_format_builder/print_format_builder_section.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frappe/printing/page/print_format_builder/print_format_builder_section.html b/frappe/printing/page/print_format_builder/print_format_builder_section.html
index d08a7ca5b2..387d24742f 100644
--- a/frappe/printing/page/print_format_builder/print_format_builder_section.html
+++ b/frappe/printing/page/print_format_builder/print_format_builder_section.html
@@ -1,4 +1,4 @@
-<div class="print-format-builder-section row light-bg" data-label="{{ section.label || '' }}">
+<div class="print-format-builder-section row light-bg" data-label="{{ section.label or '' }}">
     <div class="print-format-builder-section-head">
         <a class="section-settings pull-right
             btn-default btn-xs" style="padding-top: 3px">

From 621cadcf22f9f8496e87f0ecf722f475744f7383 Mon Sep 17 00:00:00 2001
From: Faris Ansari <netchampfaris@users.noreply.github.com>
Date: Wed, 30 Jan 2019 18:43:40 +0530
Subject: [PATCH 5/8] Revert "fix: Print Format Builder not working unexpected
 string  (#6861)" (#6863)

This reverts commit 42ec843b243aa5825c06670ac970e8d2f0eea9b3.
---
 .../page/print_format_builder/print_format_builder_section.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frappe/printing/page/print_format_builder/print_format_builder_section.html b/frappe/printing/page/print_format_builder/print_format_builder_section.html
index 387d24742f..d08a7ca5b2 100644
--- a/frappe/printing/page/print_format_builder/print_format_builder_section.html
+++ b/frappe/printing/page/print_format_builder/print_format_builder_section.html
@@ -1,4 +1,4 @@
-<div class="print-format-builder-section row light-bg" data-label="{{ section.label or '' }}">
+<div class="print-format-builder-section row light-bg" data-label="{{ section.label || '' }}">
     <div class="print-format-builder-section-head">
         <a class="section-settings pull-right
             btn-default btn-xs" style="padding-top: 3px">

From 6811d8396fd7e4fa1a63c8188a0d7017cdb0bf22 Mon Sep 17 00:00:00 2001
From: Sagar Vora <sagar@resilient.tech>
Date: Wed, 30 Jan 2019 19:44:13 +0530
Subject: [PATCH 6/8] fix: fallback not reqd for section label, has default
 (#6865)

---
 .../page/print_format_builder/print_format_builder_section.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frappe/printing/page/print_format_builder/print_format_builder_section.html b/frappe/printing/page/print_format_builder/print_format_builder_section.html
index d08a7ca5b2..cd173c4b40 100644
--- a/frappe/printing/page/print_format_builder/print_format_builder_section.html
+++ b/frappe/printing/page/print_format_builder/print_format_builder_section.html
@@ -1,4 +1,4 @@
-<div class="print-format-builder-section row light-bg" data-label="{{ section.label || '' }}">
+<div class="print-format-builder-section row light-bg" data-label="{{ section.label }}">
     <div class="print-format-builder-section-head">
         <a class="section-settings pull-right
             btn-default btn-xs" style="padding-top: 3px">

From 6031e2bc9cb8ab74888a24769e477f58d6e20df7 Mon Sep 17 00:00:00 2001
From: Aditya Hase <aditya@adityahase.com>
Date: Wed, 30 Jan 2019 19:55:50 +0530
Subject: [PATCH 7/8] fix(search): Fix possible reflected XSS attack vector
 (#6860)

---
 frappe/templates/includes/search_box.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frappe/templates/includes/search_box.html b/frappe/templates/includes/search_box.html
index 89928fa10a..7baa337083 100644
--- a/frappe/templates/includes/search_box.html
+++ b/frappe/templates/includes/search_box.html
@@ -15,7 +15,7 @@
 <script>
 frappe.ready(function() {
 	if(frappe.utils.get_url_arg("search")) {
-		$(".item-search-results").html('{{ _("Search results for") + ": " + html2text(frappe.form_dict.search or "")|trim }}');
+		$(".item-search-results").html('{{ _("Search results for") + ": " + html2text(frappe.form_dict.search or "") | e | trim }}');
 		$(".item-search").toggle(false);
 		$(".clear").toggle(true);
 	}

From 3f3dd0ddb1401a122d409cf1897b01e442c7ed02 Mon Sep 17 00:00:00 2001
From: Sagar Vora <sagar@resilient.tech>
Date: Wed, 30 Jan 2019 20:25:49 +0550
Subject: [PATCH 8/8] bumped to version 11.1.2

---
 frappe/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frappe/__init__.py b/frappe/__init__.py
index 427d747072..a54412700d 100644
--- a/frappe/__init__.py
+++ b/frappe/__init__.py
@@ -23,7 +23,7 @@ if sys.version[0] == '2':
 	reload(sys)
 	sys.setdefaultencoding("utf-8")
 
-__version__ = '11.1.1'
+__version__ = '11.1.2'
 __title__ = "Frappe Framework"
 
 local = Local()