vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4

Merge pull request #31308 from akhilnarang/fix-xss

Browse source 
fix(send_message): escape HTML in the text
This commit is contained in:
Akhil Narang 2025-02-19 16:33:40 +05:30 committed by GitHub
commit e181bf118c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
frappe/www/contact.py
View file

@ -6,7 +6,7 @@ from contextlib import suppress
import frappe
from frappe import _
from frappe.rate_limiter import rate_limit
from frappe.utils import validate_email_address
from frappe.utils import escape_html, validate_email_address
sitemap = 1
@ -30,6 +30,8 @@ def get_context(context):
def send_message(sender, message, subject="Website Query"):
sender = validate_email_address(sender, throw=True)
message = escape_html(message)
with suppress(frappe.OutgoingEmailError):
if forward_to_email := frappe.db.get_single_value("Contact Us Settings", "forward_to_email"):
frappe.sendmail(recipients=forward_to_email, reply_to=sender, content=message, subject=subject)