From f4ee9e307b1065e2ed4d368a71c0be0c42829c37 Mon Sep 17 00:00:00 2001
From: Ankush Menat <ankush@frappe.io>
Date: Thu, 8 Dec 2022 15:57:15 +0530
Subject: [PATCH 1/2] fix: escape html in timline/version

---
 frappe/core/doctype/version/version_view.html          | 10 +++++-----
 .../form/footer/version_timeline_content_builder.js    |  1 -
 frappe/public/js/frappe/utils/utils.js                 |  6 +++---
 3 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/frappe/core/doctype/version/version_view.html b/frappe/core/doctype/version/version_view.html
index a17460ccc7..c6473b6a42 100644
--- a/frappe/core/doctype/version/version_view.html
+++ b/frappe/core/doctype/version/version_view.html
@@ -18,8 +18,8 @@
 		{% for item in data.changed %}
 		<tr>
 			<td>{{ frappe.meta.get_label(doc.ref_doctype, item[0]) }}</td>
-			<td class="diff-remove">{{ item[1] }}</td>
-			<td class="diff-add">{{ item[2] }}</td>
+			<td class="diff-remove">{{ frappe.utils.escape_html(item[1]) }}</td>
+			<td class="diff-add">{{ frappe.utils.escape_html(item[2]) }}</td>
 		</tr>
 		{% endfor %}
 	</tbody>
@@ -50,7 +50,7 @@
 							{% for row_key in item_keys %}
 							<tr>
 								<td class="small">{{ row_key }}</td>
-								<td class="small">{{ item[1][row_key] }}</td>
+								<td class="small">{{ frappe.utils.escape_html(item[1][row_key]) }}</td>
 							</tr>
 							{% endfor %}
 						</tbody>
@@ -85,8 +85,8 @@
 				<td>{{ frappe.meta.get_label(doc.ref_doctype, table_info[0]) }}</td>
 				<td>{{ table_info[1] }}</td>
 				<td>{{ item[0] }}</td>
-				<td class="diff-remove">{{ item[1] }}</td>
-				<td class="diff-add">{{ item[2] }}</td>
+				<td class="diff-remove">{{ frappe.utils.escape_html(item[1]) }}</td>
+				<td class="diff-add">{{ frappe.utils.escape_html(item[2]) }}</td>
 			</tr>
 			{% endfor %}
 		{% endfor %}
diff --git a/frappe/public/js/frappe/form/footer/version_timeline_content_builder.js b/frappe/public/js/frappe/form/footer/version_timeline_content_builder.js
index 1912b5928e..84ee4fd67d 100644
--- a/frappe/public/js/frappe/form/footer/version_timeline_content_builder.js
+++ b/frappe/public/js/frappe/form/footer/version_timeline_content_builder.js
@@ -278,7 +278,6 @@ function format_content_for_timeline(content) {
 	// limits content to 40 characters
 	// escapes HTML
 	// and makes it bold
-	content = frappe.utils.html2text(content);
 	content = frappe.ellipsis(content, 40) || '""';
 	content = frappe.utils.escape_html(content);
 	return content.bold();
diff --git a/frappe/public/js/frappe/utils/utils.js b/frappe/public/js/frappe/utils/utils.js
index 09805cd05f..6deef69d1f 100644
--- a/frappe/public/js/frappe/utils/utils.js
+++ b/frappe/public/js/frappe/utils/utils.js
@@ -280,9 +280,9 @@ Object.assign(frappe.utils, {
 	},
 
 	html2text: function (html) {
-		let d = document.createElement("div");
-		d.innerHTML = html;
-		return d.textContent;
+		const parser = new DOMParser();
+		const dom = parser.parseFromString(html);
+		return dom.textContent;
 	},
 
 	is_url: function (txt) {

From 57cb71311f11dc3163e0f489bc9ccb823e45f0cb Mon Sep 17 00:00:00 2001
From: Ankush Menat <ankush@frappe.io>
Date: Thu, 8 Dec 2022 16:22:38 +0530
Subject: [PATCH 2/2] refactor: use domparser for html2text

---
 frappe/public/js/frappe/utils/utils.js         | 4 ++--
 frappe/public/js/frappe/views/communication.js | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/frappe/public/js/frappe/utils/utils.js b/frappe/public/js/frappe/utils/utils.js
index 6deef69d1f..594da353e6 100644
--- a/frappe/public/js/frappe/utils/utils.js
+++ b/frappe/public/js/frappe/utils/utils.js
@@ -281,8 +281,8 @@ Object.assign(frappe.utils, {
 
 	html2text: function (html) {
 		const parser = new DOMParser();
-		const dom = parser.parseFromString(html);
-		return dom.textContent;
+		const dom = parser.parseFromString(html, "text/html");
+		return dom.body.textContent;
 	},
 
 	is_url: function (txt) {
diff --git a/frappe/public/js/frappe/views/communication.js b/frappe/public/js/frappe/views/communication.js
index c0f62058be..713afd0895 100755
--- a/frappe/public/js/frappe/views/communication.js
+++ b/frappe/public/js/frappe/views/communication.js
@@ -843,13 +843,13 @@ frappe.views.CommunicationComposer = class {
 
 	html2text(html) {
 		// convert HTML to text and try and preserve whitespace
-		const d = document.createElement("div");
-		d.innerHTML = html
+
+		html = html
 			.replace(/<\/div>/g, "<br></div>") // replace end of blocks
 			.replace(/<\/p>/g, "<br></p>") // replace end of paragraphs
 			.replace(/<br>/g, "\n");
 
-		// replace multiple empty lines with just one
-		return d.textContent.replace(/\n{3,}/g, "\n\n");
+		const text = frappe.utils.html2text(html);
+		return text.replace(/\n{3,}/g, "\n\n");
 	}
 };