fix(send_message): escape HTML in the text

Signed-off-by: Akhil Narang <me@akhilnarang.dev>

frappe/www/contact.py

@@ -6,7 +6,7 @@ from contextlib import suppress
 import frappe
 from frappe import _
 from frappe.rate_limiter import rate_limit
-from frappe.utils import validate_email_address
+from frappe.utils import escape_html, validate_email_address
 
 sitemap = 1
 
@@ -30,6 +30,8 @@ def get_context(context):
 def send_message(sender, message, subject="Website Query"):
 	sender = validate_email_address(sender, throw=True)
 
+	message = escape_html(message)
+
 	with suppress(frappe.OutgoingEmailError):
 		if forward_to_email := frappe.db.get_single_value("Contact Us Settings", "forward_to_email"):
 			frappe.sendmail(recipients=forward_to_email, reply_to=sender, content=message, subject=subject)