diff --git a/frappe/core/doctype/version/version_view.html b/frappe/core/doctype/version/version_view.html
index a17460ccc7..c6473b6a42 100644
--- a/frappe/core/doctype/version/version_view.html
+++ b/frappe/core/doctype/version/version_view.html
@@ -18,8 +18,8 @@
{% for item in data.changed %}
| {{ frappe.meta.get_label(doc.ref_doctype, item[0]) }} |
- {{ item[1] }} |
- {{ item[2] }} |
+ {{ frappe.utils.escape_html(item[1]) }} |
+ {{ frappe.utils.escape_html(item[2]) }} |
{% endfor %}
@@ -50,7 +50,7 @@
{% for row_key in item_keys %}
| {{ row_key }} |
- {{ item[1][row_key] }} |
+ {{ frappe.utils.escape_html(item[1][row_key]) }} |
{% endfor %}
@@ -85,8 +85,8 @@
{{ frappe.meta.get_label(doc.ref_doctype, table_info[0]) }} |
{{ table_info[1] }} |
{{ item[0] }} |
- {{ item[1] }} |
- {{ item[2] }} |
+ {{ frappe.utils.escape_html(item[1]) }} |
+ {{ frappe.utils.escape_html(item[2]) }} |
{% endfor %}
{% endfor %}
diff --git a/frappe/public/js/frappe/form/footer/version_timeline_content_builder.js b/frappe/public/js/frappe/form/footer/version_timeline_content_builder.js
index 1912b5928e..84ee4fd67d 100644
--- a/frappe/public/js/frappe/form/footer/version_timeline_content_builder.js
+++ b/frappe/public/js/frappe/form/footer/version_timeline_content_builder.js
@@ -278,7 +278,6 @@ function format_content_for_timeline(content) {
// limits content to 40 characters
// escapes HTML
// and makes it bold
- content = frappe.utils.html2text(content);
content = frappe.ellipsis(content, 40) || '""';
content = frappe.utils.escape_html(content);
return content.bold();
diff --git a/frappe/public/js/frappe/utils/utils.js b/frappe/public/js/frappe/utils/utils.js
index 09805cd05f..6deef69d1f 100644
--- a/frappe/public/js/frappe/utils/utils.js
+++ b/frappe/public/js/frappe/utils/utils.js
@@ -280,9 +280,9 @@ Object.assign(frappe.utils, {
},
html2text: function (html) {
- let d = document.createElement("div");
- d.innerHTML = html;
- return d.textContent;
+ const parser = new DOMParser();
+ const dom = parser.parseFromString(html);
+ return dom.textContent;
},
is_url: function (txt) {