From 6bbb84f9c3fa7f6bb3c8de1cbf2242e82e637e8c Mon Sep 17 00:00:00 2001
From: Faris Ansari <netchampfaris@users.noreply.github.com>
Date: Sat, 3 Nov 2018 11:52:09 +0530
Subject: [PATCH] XSS fixes (#6386)

* fix(XSS): Sanitise page name before routing

* fix(XSS): Sanitise tag value before saving it
---
 frappe/public/js/frappe/router.js  | 3 ++-
 frappe/public/js/frappe/ui/tags.js | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/frappe/public/js/frappe/router.js b/frappe/public/js/frappe/router.js
index dbf48ee2e3..4f6b47fb32 100644
--- a/frappe/public/js/frappe/router.js
+++ b/frappe/public/js/frappe/router.js
@@ -48,7 +48,8 @@ frappe.route = function() {
 		frappe.view_factory[route[0]].show();
 	} else {
 		// show page
-		frappe.views.pageview.show(route[0]);
+		const route_name = frappe.utils.xss_sanitise(route[0]);
+		frappe.views.pageview.show(route_name);
 	}
 
 
diff --git a/frappe/public/js/frappe/ui/tags.js b/frappe/public/js/frappe/ui/tags.js
index b3ae539809..c68f33a869 100644
--- a/frappe/public/js/frappe/ui/tags.js
+++ b/frappe/public/js/frappe/ui/tags.js
@@ -36,7 +36,8 @@ frappe.ui.Tags = class {
 	bind() {
 		this.$input.keypress((e) => {
 			if(e.which == 13 || e.keyCode == 13) {
-				this.addTag(this.$input.val());
+				const tagValue = frappe.utils.xss_sanitise(this.$input.val());
+				this.addTag(tagValue);
 				this.$input.val('');
 			}
 		});