Merge pull request #34551 from akhilnarang/fix-multiselect-xss

fix(multiselect): escape HTML

frappe/public/js/frappe/form/controls/base_input.js

@@ -155,7 +155,11 @@ frappe.ui.form.ControlInput = class ControlInput extends frappe.ui.form.Control
 		} else {
 			value = this.value || value;
 		}
-		if (["Data", "Long Text", "Small Text", "Text", "Password"].includes(this.df.fieldtype)) {
+		if (
+			["Data", "Long Text", "Small Text", "Text", "Password", "MultiSelect"].includes(
+				this.df.fieldtype
+			)
+		) {
 			value = frappe.utils.escape_html(value);
 		}
 		let doc = this.doc || (this.frm && this.frm.doc);

frappe/public/js/frappe/views/communication.js

@@ -56,9 +56,6 @@ frappe.views.CommunicationComposer = class {
 				fieldname: "recipients",
 				default: this.get_default_recipients("recipients"),
 				ignore_validation: true,
-				onchange: function () {
-					me.sanitize_emails(this);
-				},
 			},
 			{
 				fieldtype: "Button",
@@ -79,9 +76,6 @@ frappe.views.CommunicationComposer = class {
 				fieldname: "cc",
 				default: this.get_default_recipients("cc"),
 				ignore_validation: true,
-				onchange: function () {
-					me.sanitize_emails(this);
-				},
 			},
 			{
 				label: __("BCC", null, "Email Recipients"),
@@ -89,9 +83,6 @@ frappe.views.CommunicationComposer = class {
 				fieldname: "bcc",
 				default: this.get_default_recipients("bcc"),
 				ignore_validation: true,
-				onchange: function () {
-					me.sanitize_emails(this);
-				},
 			},
 			{
 				label: __("Schedule Send At"),
@@ -986,16 +977,4 @@ frappe.views.CommunicationComposer = class {
 		const text = frappe.utils.html2text(html);
 		return text.replace(/\n{3,}/g, "\n\n");
 	}
-
-	sanitize_emails(control) {
-		let emails = control.get_value();
-		if (!emails) return;
-		let sanitized = emails
-			.split(",")
-			.map((email) => frappe.utils.xss_sanitise(email.trim()))
-			.join(",");
-		if (sanitized != emails) {
-			control.set_value(sanitized);
-		}
-	}
 };