From b87e0a874fb88ed4aa0c1d19d8a76209dc212ad0 Mon Sep 17 00:00:00 2001 From: Akhil Narang Date: Wed, 15 Jan 2025 11:46:51 +0530 Subject: [PATCH] fix(activity_log): strip html from full name before inserting People can pass in HTML in the login page, it gets rendered here Signed-off-by: Akhil Narang --- frappe/core/doctype/activity_log/activity_log.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/frappe/core/doctype/activity_log/activity_log.py b/frappe/core/doctype/activity_log/activity_log.py index aa764ab002..81dd58f3bc 100644 --- a/frappe/core/doctype/activity_log/activity_log.py +++ b/frappe/core/doctype/activity_log/activity_log.py @@ -6,7 +6,7 @@ from frappe.core.utils import set_timeline_doc from frappe.model.document import Document from frappe.query_builder import DocType, Interval from frappe.query_builder.functions import Now -from frappe.utils import get_fullname, now +from frappe.utils import get_fullname, now, strip_html class ActivityLog(Document): @@ -36,7 +36,7 @@ class ActivityLog(Document): # end: auto-generated types def before_insert(self): - self.full_name = get_fullname(self.user) + self.full_name = strip_html(get_fullname(self.user)) self.date = now() def validate(self):