Escape success message (#3644)

2017-07-08 19:33:58 +05:30 · 2017-07-08 19:33:58 +05:30 · d366bde7c1
commit d366bde7c1
parent cd27a947d0
2 changed files with 3 additions and 4 deletions
--- a/frappe/website/doctype/web_form/templates/web_form.html
+++ b/frappe/website/doctype/web_form/templates/web_form.html
@ -350,10 +350,9 @@
 {% block script %}

 <script>
-{% set seccess_msg = success_message.replace("'", "\'") %}
 window.web_form_settings = {
 	allow_incomplete: 	{{ allow_incomplete or 0 }},
-	success_link: 		'<p>{{ success_msg or _("Your information has been submitted") }}</p><p><a href="{{ success_url or "/" }}" class="btn btn-sm btn-default">{{ _("Continue") }}</a></p>',
+	success_link: 		'<p>{{ success_message or _("Your information has been submitted") }}</p><p><a href="{{ success_url or "/" }}" class="btn btn-sm btn-default">{{ _("Continue") }}</a></p>',
 	datepicker_format: 	"{{ frappe.date_format }}",
 	web_form_doctype: 	"{{ doc_type }}",
 	web_form_name: 		"{{ name }}",
--- a/frappe/website/doctype/web_form/web_form.py
+++ b/frappe/website/doctype/web_form/web_form.py
@ -164,8 +164,8 @@ def get_context(context):
 			and (frappe.session.user!="Guest" or not self.login_required))

 		if context.success_message:
-			context.success_message = context.success_message.replace("\n",
-				"<br>").replace("'", "\'")
+			context.success_message = frappe.db.escape(context.success_message.replace("\n",
+				"<br>"))

 		self.add_custom_context_and_script(context)
 		if not context.max_attachment_size: