fix: escape HTML instead of sanitizing

2023-03-30 11:52:53 +05:30 · 2023-03-30 11:52:53 +05:30 · a56ea73b7d
commit a56ea73b7d
parent 40ad983598
1 changed files with 5 additions and 6 deletions
--- a/frappe/www/printview.py
+++ b/frappe/www/printview.py
@ -11,7 +11,7 @@ import frappe
 from frappe import _, get_module_path
 from frappe.core.doctype.access_log.access_log import make_access_log
 from frappe.core.doctype.document_share_key.document_share_key import is_expired
-from frappe.utils import cint, sanitize_html, strip_html
+from frappe.utils import cint, escape_html, strip_html
 from frappe.utils.jinja_globals import is_rtl

 if TYPE_CHECKING:
@ -27,12 +27,11 @@ def get_context(context):
 	"""Build context for print"""
 	if not ((frappe.form_dict.doctype and frappe.form_dict.name) or frappe.form_dict.doc):
 		return {
-			"body": sanitize_html(
-				"""<h1>Error</h1>
+			"body": f"""
+				<h1>Error</h1>
 				<p>Parameters doctype and name required</p>
-				<pre>%s</pre>"""
-				% repr(frappe.form_dict)
-			)
+				<pre>{escape_html(frappe.as_json(frappe.form_dict, indent=2))}</pre>
+				"""
 		}

 	if frappe.form_dict.doc: