From bf6d336e95c6e0abfdf1f42430837e33be10db3c Mon Sep 17 00:00:00 2001
From: Ankush Menat <ankush@iwebnotes.com>
Date: Wed, 17 Mar 2021 14:53:13 +0530
Subject: [PATCH] fix: update escape_html to escape quotes

previous jquery hack didn't escape double quotes.
---
 frappe/public/js/frappe/utils/utils.js | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/frappe/public/js/frappe/utils/utils.js b/frappe/public/js/frappe/utils/utils.js
index b0fb39235f..ee206b928f 100644
--- a/frappe/public/js/frappe/utils/utils.js
+++ b/frappe/public/js/frappe/utils/utils.js
@@ -220,8 +220,23 @@ Object.assign(frappe.utils, {
 		});
 		return out.join(newline);
 	},
+
+
 	escape_html: function(txt) {
-		return $("<div></div>").text(txt || "").html();
+		let escape_html_mapping = {
+			'&': '&amp;',
+			'<': '&lt;',
+			'>': '&gt;',
+			'"': '&quot;',
+			"'": '&#39;',
+			'/': '&#x2F;',
+			'`': '&#x60;',
+			'=': '&#x3D;'
+		};
+
+		return String(txt).replace(/[&<>"'`=/]/g, function(char) {
+			return escape_html_mapping[char];
+		});
 	},
 
 	html2text: function(html) {