fix: sanitize name before user sign up

do not allow html characters in name validation Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
2020-07-03 11:39:57 +05:30 · 2020-07-03 11:39:57 +05:30 · e4f852bfc8
commit e4f852bfc8
parent 0c128c360b
2 changed files with 3 additions and 3 deletions
--- a/frappe/core/doctype/user/user.py
+++ b/frappe/core/doctype/user/user.py
@ -4,7 +4,7 @@
 from __future__ import unicode_literals, print_function
 import frappe
 from frappe.model.document import Document
-from frappe.utils import cint, flt, has_gravatar, format_datetime, now_datetime, get_formatted_email, today
+from frappe.utils import cint, flt, has_gravatar, escape_html, format_datetime, now_datetime, get_formatted_email, today
 from frappe import throw, msgprint, _
 from frappe.utils.password import update_password as _update_password
 from frappe.desk.notifications import clear_notifications
@ -770,7 +770,7 @@ def sign_up(email, full_name, redirect_to):
 		user = frappe.get_doc({
 			"doctype":"User",
 			"email": email,
-			"first_name": full_name,
+			"first_name": escape_html(full_name),
 			"enabled": 1,
 			"new_password": random_string(10),
 			"user_type": "Website User"
--- a/frappe/templates/includes/login/login.js
+++ b/frappe/templates/includes/login/login.js
@ -34,7 +34,7 @@ login.bind_events = function() {
 		args.cmd = "frappe.core.doctype.user.user.sign_up";
 		args.email = ($("#signup_email").val() || "").trim();
 		args.redirect_to = frappe.utils.sanitise_redirect(frappe.utils.get_url_arg("redirect-to"));
-		args.full_name = ($("#signup_fullname").val() || "").trim();
+		args.full_name = frappe.utils.xss_sanitise(($("#signup_fullname").val() || "").trim());
 		if(!args.email || !validate_email(args.email) || !args.full_name) {
 			login.set_indicator('{{ _("Valid email and name required") }}', 'red');
 			return false;