fix: Prevent HTML injection in Button attributes and documentation_url (#31188)

* fix: Prevent HTML injection in Button attributes

* fix: Prevent HTML injection in documentation_url

frappe/public/js/frappe/form/controls/base_input.js

@@ -189,7 +189,11 @@ frappe.ui.form.ControlInput = class ControlInput extends frappe.ui.form.Control
 
 		let $help = this.$wrapper.find("span.help");
 		$help.empty();
-		$(`<a href="${this.df.documentation_url}" target="_blank" title="${__("Documentation")}">
+		$(`<a
+			href="${frappe.utils.escape_html(this.df.documentation_url)}"
+			target="_blank"
+			title="${frappe.utils.escape_html(__("Documentation"))}"
+		>
 			${frappe.utils.icon("help", "sm")}
 		</a>`).appendTo($help);
 	}

frappe/public/js/frappe/form/controls/button.js

@@ -8,7 +8,10 @@ frappe.ui.form.ControlButton = class ControlButton extends frappe.ui.form.Contro
 		const btn_type = this.df.primary ? "btn-primary" : "btn-default";
 		const btn_size = this.df.btn_size ? `btn-${this.df.btn_size}` : "btn-xs";
 		this.$input = $(
-			`<button class="btn ${btn_size} ${btn_type} ellipsis" title="${this.df.label}">`
+			`<button
+				class="btn ${frappe.utils.escape_html(btn_size)} ${frappe.utils.escape_html(btn_type)} ellipsis"
+				title="${frappe.utils.escape_html(this.df.label)}"
+			>`
 		)
 			.prependTo(me.input_area)
 			.on("click", function () {