Merge pull request #38796 from ShrihariMahabal/escape-icon-color

fix: escape icon and color fields
2026-04-22 15:02:39 +05:30 · 2026-04-22 15:02:39 +05:30 · 1b8f6cddbb
commit 1b8f6cddbb
parent b828efe1b5 b593285b56
1 changed files with 12 additions and 12 deletions
--- a/frappe/public/js/frappe/form/formatters.js
+++ b/frappe/public/js/frappe/form/formatters.js
@ -394,20 +394,20 @@ frappe.form.formatters = {
 		return formatted_values.join(", ");
 	},
 	Color: (value) => {
-		return value
+		if (!value) return "";
-			? `<div>
+		let escaped_value = frappe.utils.escape_html(value);
-			<div class="selected-color" style="background-color: ${value}"></div>
+		return `<div>
-			<span class="color-value">${value}</span>
+			<div class="selected-color" style="background-color: ${escaped_value}"></div>
-		</div>`
+			<span class="color-value">${escaped_value}</span>
-			: "";
+		</div>`;
 	},
 	Icon: (value) => {
-		return value
+		if (!value) return "";
-			? `<div class='flex' style='gap: 8px;'>
+		let escaped_value = frappe.utils.escape_html(value);
-			<div class="selected-icon">${frappe.utils.icon(value, "md")}</div>
+		return `<div class='flex' style='gap: 8px;'>
-			<span class="icon-value">${value}</span>
+			<div class="selected-icon">${frappe.utils.icon(escaped_value, "md")}</div>
-		</div>`
+			<span class="icon-value">${escaped_value}</span>
-			: "";
+		</div>`;
 	},
 	Attach: format_attachment_url,
 	AttachImage: format_attachment_url,