From dd876a36c5c049da1c0db7bb99684c809a5c3a83 Mon Sep 17 00:00:00 2001
From: Corentin Forler <10946971+cogk@users.noreply.github.com>
Date: Tue, 11 Feb 2025 10:46:30 +0100
Subject: [PATCH] fix: Prevent HTML injection in Button attributes and
documentation_url (#31188)
* fix: Prevent HTML injection in Button attributes
* fix: Prevent HTML injection in documentation_url
---
frappe/public/js/frappe/form/controls/base_input.js | 6 +++++-
frappe/public/js/frappe/form/controls/button.js | 5 ++++-
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/frappe/public/js/frappe/form/controls/base_input.js b/frappe/public/js/frappe/form/controls/base_input.js
index d5bd2eb86a..0eb185cdb6 100644
--- a/frappe/public/js/frappe/form/controls/base_input.js
+++ b/frappe/public/js/frappe/form/controls/base_input.js
@@ -189,7 +189,11 @@ frappe.ui.form.ControlInput = class ControlInput extends frappe.ui.form.Control
let $help = this.$wrapper.find("span.help");
$help.empty();
- $(`
+ $(`
${frappe.utils.icon("help", "sm")}
`).appendTo($help);
}
diff --git a/frappe/public/js/frappe/form/controls/button.js b/frappe/public/js/frappe/form/controls/button.js
index 5e67ae783c..16633da854 100644
--- a/frappe/public/js/frappe/form/controls/button.js
+++ b/frappe/public/js/frappe/form/controls/button.js
@@ -8,7 +8,10 @@ frappe.ui.form.ControlButton = class ControlButton extends frappe.ui.form.Contro
const btn_type = this.df.primary ? "btn-primary" : "btn-default";
const btn_size = this.df.btn_size ? `btn-${this.df.btn_size}` : "btn-xs";
this.$input = $(
- `