fix(awesomebar): sanitise text when searching in list views

`<img src=x onerror=alert('XSS')//` would work otherwise Signed-off-by: Akhil Narang <me@akhilnarang.dev>
2025-03-05 18:17:25 +05:30 · 2025-03-05 18:17:25 +05:30 · 1d2a0a1269
commit 1d2a0a1269
parent fba36d57e5
1 changed files with 4 additions and 1 deletions
--- a/frappe/public/js/frappe/ui/toolbar/awesome_bar.js
+++ b/frappe/public/js/frappe/ui/toolbar/awesome_bar.js
@ -324,7 +324,10 @@ frappe.search.AwesomeBar = class AwesomeBar {
 			var options = {};
 			options[search_field] = ["like", "%" + txt + "%"];
 			this.options.push({
-				label: __("Find {0} in {1}", [txt.bold(), __(route[1]).bold()]),
+				label: __("Find {0} in {1}", [
+					frappe.utils.xss_sanitise(txt).bold(),
+					__(route[1]).bold(),
+				]),
 				value: __("Find {0} in {1}", [txt, __(route[1])]),
 				route_options: options,
 				onclick: function () {