From 1068b3cb96b2069b00827ce47375f2422065de7b Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Fri, 31 Oct 2025 13:18:05 +0530
Subject: [PATCH 1/2] Revert "Merge pull request #28914 from
 samkit5495/patch-1"

This reverts commit 22560c36f6bb064486134049b57d6db1f4c573ed, reversing
changes made to 7a7b318662a16eefb30698564a14dc98dd7b1327.
---
 .../public/js/frappe/views/communication.js   | 21 -------------------
 1 file changed, 21 deletions(-)

diff --git a/frappe/public/js/frappe/views/communication.js b/frappe/public/js/frappe/views/communication.js
index 12ab9da505..6ffc9edafd 100755
--- a/frappe/public/js/frappe/views/communication.js
+++ b/frappe/public/js/frappe/views/communication.js
@@ -56,9 +56,6 @@ frappe.views.CommunicationComposer = class {
 				fieldname: "recipients",
 				default: this.get_default_recipients("recipients"),
 				ignore_validation: true,
-				onchange: function () {
-					me.sanitize_emails(this);
-				},
 			},
 			{
 				fieldtype: "Button",
@@ -79,9 +76,6 @@ frappe.views.CommunicationComposer = class {
 				fieldname: "cc",
 				default: this.get_default_recipients("cc"),
 				ignore_validation: true,
-				onchange: function () {
-					me.sanitize_emails(this);
-				},
 			},
 			{
 				label: __("BCC", null, "Email Recipients"),
@@ -89,9 +83,6 @@ frappe.views.CommunicationComposer = class {
 				fieldname: "bcc",
 				default: this.get_default_recipients("bcc"),
 				ignore_validation: true,
-				onchange: function () {
-					me.sanitize_emails(this);
-				},
 			},
 			{
 				label: __("Schedule Send At"),
@@ -986,16 +977,4 @@ frappe.views.CommunicationComposer = class {
 		const text = frappe.utils.html2text(html);
 		return text.replace(/\n{3,}/g, "\n\n");
 	}
-
-	sanitize_emails(control) {
-		let emails = control.get_value();
-		if (!emails) return;
-		let sanitized = emails
-			.split(",")
-			.map((email) => frappe.utils.xss_sanitise(email.trim()))
-			.join(",");
-		if (sanitized != emails) {
-			control.set_value(sanitized);
-		}
-	}
 };

From 45d1dd32243ffb634eb4b8c8258f7b9f12f2ccc0 Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Fri, 31 Oct 2025 13:42:54 +0530
Subject: [PATCH 2/2] fix: escape multiselect as well

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
---
 frappe/public/js/frappe/form/controls/base_input.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/frappe/public/js/frappe/form/controls/base_input.js b/frappe/public/js/frappe/form/controls/base_input.js
index f6d63b4120..beab7e96bd 100644
--- a/frappe/public/js/frappe/form/controls/base_input.js
+++ b/frappe/public/js/frappe/form/controls/base_input.js
@@ -155,7 +155,11 @@ frappe.ui.form.ControlInput = class ControlInput extends frappe.ui.form.Control
 		} else {
 			value = this.value || value;
 		}
-		if (["Data", "Long Text", "Small Text", "Text", "Password"].includes(this.df.fieldtype)) {
+		if (
+			["Data", "Long Text", "Small Text", "Text", "Password", "MultiSelect"].includes(
+				this.df.fieldtype
+			)
+		) {
 			value = frappe.utils.escape_html(value);
 		}
 		let doc = this.doc || (this.frm && this.frm.doc);