From 1c450877b0a9052229e72eee4e1fd9beaf47b2a2 Mon Sep 17 00:00:00 2001
From: Faris Ansari <netchamp.faris@gmail.com>
Date: Mon, 4 Nov 2019 15:53:53 +0530
Subject: [PATCH] fix(security): XSS in display area

---
 frappe/public/js/frappe/form/controls/base_input.js | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/frappe/public/js/frappe/form/controls/base_input.js b/frappe/public/js/frappe/form/controls/base_input.js
index 365ff364d5..e0a572d476 100644
--- a/frappe/public/js/frappe/form/controls/base_input.js
+++ b/frappe/public/js/frappe/form/controls/base_input.js
@@ -119,9 +119,12 @@ frappe.ui.form.ControlInput = frappe.ui.form.Control.extend({
 		} else {
 			value = this.value || value;
 		}
-		this.disp_area && $(this.disp_area)
-			.html(frappe.format(value, this.df, {no_icon:true, inline:true},
-				this.doc || (this.frm && this.frm.doc)));
+		if (this.df.fieldtype === 'Data') {
+			value = frappe.utils.escape_html(value);
+		}
+		let doc = this.doc || (this.frm && this.frm.doc);
+		let display_value = frappe.format(value, this.df, {no_icon:true, inline:true}, doc);
+		this.disp_area && $(this.disp_area).html(display_value);
 	},
 
 	bind_change_event: function() {
@@ -184,4 +187,4 @@ frappe.ui.form.ControlInput = frappe.ui.form.Control.extend({
 			$(this.disp_area).toggleClass("bold", !!(this.df.bold || this.df.reqd));
 		}
 	}
-});
\ No newline at end of file
+});