From a1d7fb77e35e44232329ccf5364b58a383dacfb1 Mon Sep 17 00:00:00 2001 From: AarDG10 Date: Mon, 13 Apr 2026 20:56:47 +0530 Subject: [PATCH] fix(user): sanitize all html tags in name fields Name fields shouldn't really be allowing HTML tags in User Doctype. --- frappe/core/doctype/user/user.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frappe/core/doctype/user/user.py b/frappe/core/doctype/user/user.py index 84c9580e30..08c1e7fa68 100644 --- a/frappe/core/doctype/user/user.py +++ b/frappe/core/doctype/user/user.py @@ -359,7 +359,7 @@ class User(Document): def clean_name(self): for field in ("first_name", "middle_name", "last_name"): if field_value := self.get(field): - self.set(field, sanitize_html(field_value, always_sanitize=True)) + self.set(field, sanitize_html(field_value, always_sanitize=True, disallowed_tags="*")) def set_full_name(self): self.full_name = " ".join(p for p in [self.first_name, self.middle_name, self.last_name] if p)