From 6aebe0f522e02186313ec6a8f6f265ec11122ce9 Mon Sep 17 00:00:00 2001
From: Faris Ansari <netchamp.faris@gmail.com>
Date: Mon, 26 Aug 2019 14:54:52 +0530
Subject: [PATCH] fix: Escape html in timeline

---
 frappe/public/js/frappe/form/footer/timeline.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/frappe/public/js/frappe/form/footer/timeline.js b/frappe/public/js/frappe/form/footer/timeline.js
index 2a6813d9da..be15d9997b 100644
--- a/frappe/public/js/frappe/form/footer/timeline.js
+++ b/frappe/public/js/frappe/form/footer/timeline.js
@@ -598,6 +598,7 @@ frappe.ui.form.Timeline = class Timeline {
 					return parts.length < 3;
 				});
 				if(parts.length) {
+					parts = parts.map(frappe.utils.escape_html);
 					out.push(me.get_version_comment(version, __("changed value of {0}", [parts.join(', ').bold()])));
 				}
 			}