fix: quote provider name (#19604)

* fix: quote provider name * fix: escape icon in get_icon_html
2023-02-13 10:04:35 +01:00 · 2023-02-13 10:04:35 +01:00 · 8130153ce6
commit 8130153ce6
parent 8180f926e1
2 changed files with 7 additions and 4 deletions
--- a/frappe/utils/html_utils.py
+++ b/frappe/utils/html_utils.py
@ -4,6 +4,7 @@ import re
 from bleach_allowlist import bleach_allowlist

 import frappe
+from frappe.utils.data import escape_html

 EMOJI_PATTERN = re.compile(
 	"(\ud83d[\ude00-\ude4f])|"
@ -204,10 +205,12 @@ def get_icon_html(icon, small=False):

 	if is_image(icon):
 		return (
-			f'<img style="width: 16px; height: 16px;" src="{icon}">' if small else f'<img src="{icon}">'
+			f"<img style='width: 16px; height: 16px;' src={escape_html(icon)!r}>"
+			if small
+			else f"<img src={escape_html(icon)!r}>"
 		)
 	else:
-		return f"<i class='{icon}'></i>"
+		return f"<i class={escape_html(icon)!r}></i>"


 def unescape_html(value):
--- a/frappe/www/login.py
+++ b/frappe/www/login.py
@ -6,9 +6,9 @@ import frappe.utils
 from frappe import _
 from frappe.auth import LoginManager
 from frappe.integrations.doctype.ldap_settings.ldap_settings import LDAPSettings
-from frappe.integrations.oauth2_logins import decoder_compat
 from frappe.rate_limiter import rate_limit
 from frappe.utils import cint, get_url
+from frappe.utils.data import escape_html
 from frappe.utils.html_utils import get_icon_html
 from frappe.utils.jinja import guess_is_path
 from frappe.utils.oauth import get_oauth2_authorize_url, get_oauth_keys, redirect_post_login
@ -72,7 +72,7 @@ def get_context(context):
 			if provider.provider_name == "Custom":
 				icon = get_icon_html(provider.icon, small=True)
 			else:
-				icon = f"<img src='{provider.icon}' alt={provider.provider_name}>"
+				icon = f"<img src={escape_html(provider.icon)!r} alt={escape_html(provider.provider_name)!r}>"

 		if provider.client_id and provider.base_url and get_oauth_keys(provider.name):
 			context.provider_logins.append(