fix: sanitize user input during setup wizard

frappe/desk/page/setup_wizard/setup_wizard.py

@@ -50,7 +50,7 @@ def setup_complete(args):
 	if cint(frappe.db.get_single_value("System Settings", "setup_complete")):
 		return {"status": "ok"}
 
-	args = parse_args(args)
+	args = parse_args(sanitize_input(args))
 	stages = get_setup_stages(args)
 	is_background_task = frappe.conf.get("trigger_site_setup_in_background")
 
@@ -253,6 +253,19 @@ def parse_args(args):  # nosemgrep
 	return args
 
 
+def sanitize_input(args):
+	from frappe.utils import is_html, strip_html_tags
+
+	if isinstance(args, str):
+		args = json.loads(args)
+
+	for key, value in args.items():
+		if is_html(value):
+			args[key] = strip_html_tags(value)
+
+	return args
+
+
 def add_all_roles_to(name):
 	user = frappe.get_doc("User", name)
 	user.append_roles(*_get_default_roles())