vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

fix(user): sanitize all html tags in name fields

Browse source 
Name fields shouldn't really be allowing HTML tags in User Doctype.
This commit is contained in:
AarDG10 2026-04-13 20:56:47 +05:30
parent c3d8214124
commit a1d7fb77e3
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
frappe/core/doctype/user/user.py
View file

@ -359,7 +359,7 @@ class User(Document):
def clean_name(self): def clean_name(self):
for field in ("first_name", "middle_name", "last_name"): for field in ("first_name", "middle_name", "last_name"):
if field_value := self.get(field): if field_value := self.get(field):
self.set(field, sanitize_html(field_value, always_sanitize=True)) self.set(field, sanitize_html(field_value, always_sanitize=True, disallowed_tags="*"))
def set_full_name(self): def set_full_name(self):
self.full_name = " ".join(p for p in [self.first_name, self.middle_name, self.last_name] if p) self.full_name = " ".join(p for p in [self.first_name, self.middle_name, self.last_name] if p)