From c3d8214124b3dea0a216d76a1652c9dbb3c410a5 Mon Sep 17 00:00:00 2001 From: AarDG10 Date: Mon, 13 Apr 2026 17:28:57 +0530 Subject: [PATCH 1/2] feat(html_utils): introduce wildcard in sanitize_html Introduces a wildcard i.e. Disallows all HTML tags when used. --- frappe/utils/html_utils.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/frappe/utils/html_utils.py b/frappe/utils/html_utils.py index c0ca52e147..dc26029d82 100644 --- a/frappe/utils/html_utils.py +++ b/frappe/utils/html_utils.py @@ -170,7 +170,10 @@ def sanitize_html(html, linkify=False, always_sanitize=False, disallowed_tags=No # Allow caller to explicitly disallow some tags if disallowed_tags: - tags.difference_update(disallowed_tags) + if disallowed_tags == "*": + tags = set() + else: + tags.difference_update(disallowed_tags) attributes = {"*": acceptable_attributes, "svg": svg_attributes} From a1d7fb77e35e44232329ccf5364b58a383dacfb1 Mon Sep 17 00:00:00 2001 From: AarDG10 Date: Mon, 13 Apr 2026 20:56:47 +0530 Subject: [PATCH 2/2] fix(user): sanitize all html tags in name fields Name fields shouldn't really be allowing HTML tags in User Doctype. --- frappe/core/doctype/user/user.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frappe/core/doctype/user/user.py b/frappe/core/doctype/user/user.py index 84c9580e30..08c1e7fa68 100644 --- a/frappe/core/doctype/user/user.py +++ b/frappe/core/doctype/user/user.py @@ -359,7 +359,7 @@ class User(Document): def clean_name(self): for field in ("first_name", "middle_name", "last_name"): if field_value := self.get(field): - self.set(field, sanitize_html(field_value, always_sanitize=True)) + self.set(field, sanitize_html(field_value, always_sanitize=True, disallowed_tags="*")) def set_full_name(self): self.full_name = " ".join(p for p in [self.first_name, self.middle_name, self.last_name] if p)