From 8759a7b41c448eb71aea2336d9108203fbda2b3e Mon Sep 17 00:00:00 2001
From: Shariq Ansari <30859809+shariquerik@users.noreply.github.com>
Date: Thu, 4 May 2023 17:33:10 +0530
Subject: [PATCH] fix: message.py executing script (#20887)

---
 frappe/www/message.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/frappe/www/message.py b/frappe/www/message.py
index b5035de20f..d8e359f07c 100644
--- a/frappe/www/message.py
+++ b/frappe/www/message.py
@@ -3,6 +3,7 @@
 
 import frappe
 from frappe.utils import strip_html_tags
+from frappe.utils.html_utils import clean_html
 
 no_cache = 1
 
@@ -26,9 +27,9 @@ def get_context(context):
 				frappe.local.response["http_status_code"] = message["http_status_code"]
 
 	if not message_context.title:
-		message_context.title = frappe.form_dict.title
+		message_context.title = clean_html(frappe.form_dict.title)
 
 	if not message_context.message:
-		message_context.message = frappe.form_dict.message
+		message_context.message = clean_html(frappe.form_dict.message)
 
 	return message_context