Shiloh/brotherton-erpnext
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #15094 from frappe/search-injection-fix

Browse Source 
prevent jinja exec in search title
This commit is contained in:
Prateeksha Singh 2018-08-06 13:05:29 +05:30 committed by GitHub
commit 733433c91e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
erpnext/templates/pages/search_help.py
View File

@ -10,7 +10,9 @@ def get_context(context):
context.no_cache = 1 context.no_cache = 1
if frappe.form_dict.q: if frappe.form_dict.q:
query = str(utils.escape(sanitize_html(frappe.form_dict.q))) query = str(utils.escape(sanitize_html(frappe.form_dict.q)))
context.title = _('Help Results for "{0}"').format(query) context.title = _('Help Results for')
context.query = query
context.route = '/search_help' context.route = '/search_help'
d = frappe._dict() d = frappe._dict()
d.results_sections = get_help_results_sections(query) d.results_sections = get_help_results_sections(query)