vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4

Merge pull request #38331 from ShrihariMahabal/complete-signup-xss

Browse source 
fix(security): escape 'key' parameter in complete signup
This commit is contained in:
Shrihari Mahabal 2026-03-30 16:35:33 +05:30 committed by GitHub
commit 576bcfdefc
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
frappe/www/complete_signup.html
View file

@ -5,7 +5,7 @@
<form role="form form-signin" method="POST"
action="/api/method/frappe.templates.pages.login.login_oauth_user">
<h3 class="form-signin-heading mb-4">{{ _("One Last Step") }}</h3>
<input type="hidden" name="key" value="{{ frappe.form_dict.key }}">
<input type="hidden" name="key" value="{{ frappe.form_dict.key | e }}">
<div class="form-group">
<input type="email" name="email_id"
class="form-control" placeholder="{{ _('Email Address') }}" required autofocus>