fix: escape html in timline/version

frappe/core/doctype/version/version_view.html

@@ -18,8 +18,8 @@
 		{% for item in data.changed %}
 		<tr>
 			<td>{{ frappe.meta.get_label(doc.ref_doctype, item[0]) }}</td>
-			<td class="diff-remove">{{ item[1] }}</td>
-			<td class="diff-add">{{ item[2] }}</td>
+			<td class="diff-remove">{{ frappe.utils.escape_html(item[1]) }}</td>
+			<td class="diff-add">{{ frappe.utils.escape_html(item[2]) }}</td>
 		</tr>
 		{% endfor %}
 	</tbody>
@@ -50,7 +50,7 @@
 							{% for row_key in item_keys %}
 							<tr>
 								<td class="small">{{ row_key }}</td>
-								<td class="small">{{ item[1][row_key] }}</td>
+								<td class="small">{{ frappe.utils.escape_html(item[1][row_key]) }}</td>
 							</tr>
 							{% endfor %}
 						</tbody>
@@ -85,8 +85,8 @@
 				<td>{{ frappe.meta.get_label(doc.ref_doctype, table_info[0]) }}</td>
 				<td>{{ table_info[1] }}</td>
 				<td>{{ item[0] }}</td>
-				<td class="diff-remove">{{ item[1] }}</td>
-				<td class="diff-add">{{ item[2] }}</td>
+				<td class="diff-remove">{{ frappe.utils.escape_html(item[1]) }}</td>
+				<td class="diff-add">{{ frappe.utils.escape_html(item[2]) }}</td>
 			</tr>
 			{% endfor %}
 		{% endfor %}

frappe/public/js/frappe/form/footer/version_timeline_content_builder.js

@@ -278,7 +278,6 @@ function format_content_for_timeline(content) {
 	// limits content to 40 characters
 	// escapes HTML
 	// and makes it bold
-	content = frappe.utils.html2text(content);
 	content = frappe.ellipsis(content, 40) || '""';
 	content = frappe.utils.escape_html(content);
 	return content.bold();

frappe/public/js/frappe/utils/utils.js

@@ -280,9 +280,9 @@ Object.assign(frappe.utils, {
 	},
 
 	html2text: function (html) {
-		let d = document.createElement("div");
-		d.innerHTML = html;
-		return d.textContent;
+		const parser = new DOMParser();
+		const dom = parser.parseFromString(html);
+		return dom.textContent;
 	},
 
 	is_url: function (txt) {