From 89c945f9023312574e53beed3e2dac3a08fcd81e Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Wed, 15 Jan 2025 11:54:09 +0530
Subject: [PATCH] fix(user): strip html tags from user name

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
---
 frappe/core/doctype/user/user.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/frappe/core/doctype/user/user.py b/frappe/core/doctype/user/user.py
index bcb8557c1d..72cd63eda1 100644
--- a/frappe/core/doctype/user/user.py
+++ b/frappe/core/doctype/user/user.py
@@ -182,6 +182,7 @@ class User(Document):
 		self.populate_role_profile_roles()
 		self.check_roles_added()
 		self.set_system_user()
+		self.clean_name()
 		self.set_full_name()
 		self.check_enable_disable()
 		self.ensure_unique_roles()
@@ -310,6 +311,11 @@ class User(Document):
 		"""Return True if current user is the session user."""
 		return self.name == frappe.session.user
 
+	def clean_name(self):
+		self.first_name = escape_html(self.first_name)
+		self.middle_name = escape_html(self.middle_name)
+		self.last_name = escape_html(self.last_name)
+
 	def set_full_name(self):
 		self.full_name = " ".join(filter(None, [self.first_name, self.last_name]))