vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Merge pull request #38566 from AarDG10/fix-user

Browse source 
fix(user): sanitize all html tags in name fields in User Doctype
This commit is contained in:
Aarol D'Souza 2026-04-14 17:07:48 +05:30 committed by GitHub
commit 4e52cbfb95
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
frappe/core/doctype/user/user.py
View file

@ -359,7 +359,7 @@ class User(Document):
def clean_name(self): def clean_name(self):
for field in ("first_name", "middle_name", "last_name"): for field in ("first_name", "middle_name", "last_name"):
if field_value := self.get(field): if field_value := self.get(field):
self.set(field, sanitize_html(field_value, always_sanitize=True)) self.set(field, sanitize_html(field_value, always_sanitize=True, disallowed_tags="*"))
def set_full_name(self): def set_full_name(self):
self.full_name = " ".join(p for p in [self.first_name, self.middle_name, self.last_name] if p) self.full_name = " ".join(p for p in [self.first_name, self.middle_name, self.last_name] if p)

5
frappe/utils/html_utils.py
View file

@ -170,7 +170,10 @@ def sanitize_html(html, linkify=False, always_sanitize=False, disallowed_tags=No
# Allow caller to explicitly disallow some tags # Allow caller to explicitly disallow some tags
if disallowed_tags: if disallowed_tags:
tags.difference_update(disallowed_tags) if disallowed_tags == "*":
tags = set()
else:
tags.difference_update(disallowed_tags)
attributes = {"*": acceptable_attributes, "svg": svg_attributes} attributes = {"*": acceptable_attributes, "svg": svg_attributes}