diff --git a/frappe/__init__.py b/frappe/__init__.py
index 1b5774e9a9..a73abfd1b2 100644
--- a/frappe/__init__.py
+++ b/frappe/__init__.py
@@ -353,7 +353,8 @@ def sendmail(recipients=(), sender="", subject="No Subject", message="No Message
 logger = None
 whitelisted = []
 guest_methods = []
-def whitelist(allow_guest=False):
+xss_safe_methods = []
+def whitelist(allow_guest=False, xss_safe=False):
 	"""
 	Decorator for whitelisting a function and making it accessible via HTTP.
 	Standard request will be `/api/method/[path.to.method]`
@@ -373,6 +374,9 @@ def whitelist(allow_guest=False):
 		if allow_guest:
 			guest_methods.append(fn)
 
+			if xss_safe:
+				xss_safe_methods.append(fn)
+
 		return fn
 
 	return innerfn
diff --git a/frappe/__version__.py b/frappe/__version__.py
index 3090289e0e..86de4949bf 100644
--- a/frappe/__version__.py
+++ b/frappe/__version__.py
@@ -1,2 +1,2 @@
 from __future__ import unicode_literals
-__version__ = "6.4.1"
+__version__ = "6.4.2"
diff --git a/frappe/handler.py b/frappe/handler.py
index 88673a86ef..88d886a6de 100755
--- a/frappe/handler.py
+++ b/frappe/handler.py
@@ -93,12 +93,13 @@ def execute_cmd(cmd, from_async=False):
 			frappe.msgprint(_("Not permitted"))
 			raise frappe.PermissionError('Not Allowed, {0}'.format(method))
 
-		# strictly sanitize form_dict
-		# escapes html characters like <> except for predefined tags like a, b, ul etc.
-		# if required, we can add more whitelisted tags like div, p, etc. (see its documentation)
-		for key, value in frappe.form_dict.items():
-			if isinstance(value, basestring):
-				frappe.form_dict[key] = bleach.clean(value)
+		if method not in frappe.xss_safe_methods:
+			# strictly sanitize form_dict
+			# escapes html characters like <> except for predefined tags like a, b, ul etc.
+			# if required, we can add more whitelisted tags like div, p, etc. (see its documentation)
+			for key, value in frappe.form_dict.items():
+				if isinstance(value, basestring):
+					frappe.form_dict[key] = bleach.clean(value)
 
 	else:
 		if not method in frappe.whitelisted:
diff --git a/frappe/hooks.py b/frappe/hooks.py
index afa30011ff..8a8785b857 100644
--- a/frappe/hooks.py
+++ b/frappe/hooks.py
@@ -26,7 +26,7 @@ to ERPNext.
 """
 
 app_icon = "octicon octicon-circuit-board"
-app_version = "6.4.1"
+app_version = "6.4.2"
 app_color = "orange"
 github_link = "https://github.com/frappe/frappe"
 
diff --git a/setup.py b/setup.py
index abf6439542..719ffc8d1d 100644
--- a/setup.py
+++ b/setup.py
@@ -1,6 +1,6 @@
 from setuptools import setup, find_packages
 
-version = "6.4.1"
+version = "6.4.2"
 
 with open("requirements.txt", "r") as f:
 	install_requires = f.readlines()