vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4

fix(security): XSS in display area

Browse source
This commit is contained in:
Faris Ansari 2019-11-04 15:53:53 +05:30
parent de00a651cc
commit 1c450877b0
1 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
frappe/public/js/frappe/form/controls/base_input.js
View file

@ -119,9 +119,12 @@ frappe.ui.form.ControlInput = frappe.ui.form.Control.extend({
} else {
value = this.value || value;
}
this.disp_area && $(this.disp_area)
.html(frappe.format(value, this.df, {no_icon:true, inline:true},
this.doc || (this.frm && this.frm.doc)));
if (this.df.fieldtype === 'Data') {
value = frappe.utils.escape_html(value);
}
let doc = this.doc || (this.frm && this.frm.doc);
let display_value = frappe.format(value, this.df, {no_icon:true, inline:true}, doc);
this.disp_area && $(this.disp_area).html(display_value);
},
bind_change_event: function() {
@ -184,4 +187,4 @@ frappe.ui.form.ControlInput = frappe.ui.form.Control.extend({
$(this.disp_area).toggleClass("bold", !!(this.df.bold || this.df.reqd));
}
}
});
});