From b8fe835d1a89aca2b77a47e65f58584bf40b2bd2 Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Mon, 13 Jan 2025 11:39:29 +0530
Subject: [PATCH] fix(not_permitted_page): escape path

Reported-by: Sadik Shaikh <pc_masters70@yahoo.com>
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
---
 frappe/website/page_renderers/not_permitted_page.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/frappe/website/page_renderers/not_permitted_page.py b/frappe/website/page_renderers/not_permitted_page.py
index c91b5efd80..cda6ca06f0 100644
--- a/frappe/website/page_renderers/not_permitted_page.py
+++ b/frappe/website/page_renderers/not_permitted_page.py
@@ -1,3 +1,5 @@
+from urllib.parse import quote_plus
+
 import frappe
 from frappe import _
 from frappe.utils import cstr
@@ -14,7 +16,7 @@ class NotPermittedPage(TemplatePage):
 		return True
 
 	def render(self):
-		action = f"/login?redirect-to={frappe.request.path}"
+		action = f"/login?redirect-to={quote_plus(frappe.request.path)}"
 		if frappe.request.path.startswith("/app/") or frappe.request.path == "/app":
 			action = "/login"
 		frappe.local.message_title = _("Not Permitted")