From e952a3f72b93657793ba8ab92b75486520ff21eb Mon Sep 17 00:00:00 2001
From: "Chinmay D. Pai" <chinmaydpai@gmail.com>
Date: Fri, 3 Jul 2020 10:52:10 +0530
Subject: [PATCH] fix: escape unwanted tags before displaying printview

prevents xss on the printview page

Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
---
 frappe/www/printview.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/frappe/www/printview.py b/frappe/www/printview.py
index 4853bf1cb9..545e5d581d 100644
--- a/frappe/www/printview.py
+++ b/frappe/www/printview.py
@@ -8,7 +8,7 @@ from frappe import _
 
 from frappe.modules import get_doc_path
 from frappe.core.doctype.access_log.access_log import make_access_log
-from frappe.utils import cint, strip_html
+from frappe.utils import cint, sanitize_html, strip_html
 from six import string_types
 
 no_cache = 1
@@ -20,9 +20,9 @@ def get_context(context):
 	"""Build context for print"""
 	if not ((frappe.form_dict.doctype and frappe.form_dict.name) or frappe.form_dict.doc):
 		return {
-			"body": """<h1>Error</h1>
+			"body": sanitize_html("""<h1>Error</h1>
 				<p>Parameters doctype and name required</p>
-				<pre>%s</pre>""" % repr(frappe.form_dict)
+				<pre>%s</pre>""" % repr(frappe.form_dict))
 		}
 
 	if frappe.form_dict.doc: