From f2d0baf79d67a03e96551a6ea89c4328e2bcd164 Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Wed, 19 Feb 2025 12:23:47 +0530
Subject: [PATCH] fix(send_message): escape HTML in the text

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
---
 frappe/www/contact.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/frappe/www/contact.py b/frappe/www/contact.py
index 1d6db31f68..c9a43c7d7a 100644
--- a/frappe/www/contact.py
+++ b/frappe/www/contact.py
@@ -6,7 +6,7 @@ from contextlib import suppress
 import frappe
 from frappe import _
 from frappe.rate_limiter import rate_limit
-from frappe.utils import validate_email_address
+from frappe.utils import escape_html, validate_email_address
 
 sitemap = 1
 
@@ -30,6 +30,8 @@ def get_context(context):
 def send_message(sender, message, subject="Website Query"):
 	sender = validate_email_address(sender, throw=True)
 
+	message = escape_html(message)
+
 	with suppress(frappe.OutgoingEmailError):
 		if forward_to_email := frappe.db.get_single_value("Contact Us Settings", "forward_to_email"):
 			frappe.sendmail(recipients=forward_to_email, reply_to=sender, content=message, subject=subject)