vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4

Merge pull request #10910 from Thunderbottom/printview-xss

Browse source 
fix: escape unwanted tags before displaying printview
This commit is contained in:
mergify[bot] 2020-07-16 16:29:09 +00:00 committed by GitHub
commit 1aa2d6d97f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
frappe/www/printview.py
View file

@ -8,7 +8,7 @@ from frappe import _
from frappe.modules import get_doc_path
from frappe.core.doctype.access_log.access_log import make_access_log
from frappe.utils import cint, strip_html
from frappe.utils import cint, sanitize_html, strip_html
from six import string_types
no_cache = 1
@ -20,9 +20,9 @@ def get_context(context):
"""Build context for print"""
if not ((frappe.form_dict.doctype and frappe.form_dict.name) or frappe.form_dict.doc):
return {
"body": """<h1>Error</h1>
"body": sanitize_html("""<h1>Error</h1>
<p>Parameters doctype and name required</p>
<pre>%s</pre>""" % repr(frappe.form_dict)
<pre>%s</pre>""" % repr(frappe.form_dict))
}
if frappe.form_dict.doc: