Merge pull request #2129 from pateljannat/issues-194

fix: sanitize data before creating new course or batch

frontend/src/pages/Batches/components/NewBatchModal.vue

@@ -113,7 +113,7 @@ import { Button, Dialog, FormControl, TextEditor, toast } from 'frappe-ui'
 import { useOnboarding, useTelemetry } from 'frappe-ui/frappe'
 import { ref, inject, onMounted, onBeforeUnmount } from 'vue'
 import { useRouter } from 'vue-router'
-import { cleanError, openSettings } from '@/utils'
+import { cleanError, openSettings, sanitizeHTML, escapeHTML } from '@/utils'
 import Link from '@/components/Controls/Link.vue'
 import MultiSelect from '@/components/Controls/MultiSelect.vue'
 
@@ -127,7 +127,21 @@ const props = defineProps<{
 	batches: any
 }>()
 
-const batch = ref({
+type Batch = {
+	title: string
+	start_date: string | null
+	end_date: string | null
+	start_time: string | null
+	end_time: string | null
+	timezone: string | null
+	description: string
+	batch_details: string
+	instructors: string[]
+	category: string | null
+	seat_count: number
+}
+
+const batch = ref<Batch>({
 	title: '',
 	start_date: null,
 	end_date: null,
@@ -141,7 +155,23 @@ const batch = ref({
 	seat_count: 0,
 })
 
+const validateFields = () => {
+	batch.value.description = sanitizeHTML(batch.value.description)
+
+	Object.keys(batch.value).forEach((key) => {
+		if (
+			key != 'description' &&
+			typeof batch.value[key as keyof Batch] === 'string'
+		) {
+			batch.value[key as keyof Batch] = escapeHTML(
+				batch.value[key as keyof Batch] as string
+			)
+		}
+	})
+}
+
 const saveBatch = (close: () => void = () => {}) => {
+	validateFields()
 	props.batches.insert.submit(
 		{
 			...batch.value,

frontend/src/pages/Courses/NewCourseModal.vue

@@ -77,7 +77,7 @@ import { Button, Dialog, FormControl, TextEditor, toast } from 'frappe-ui'
 import { useOnboarding, useTelemetry } from 'frappe-ui/frappe'
 import { inject, onMounted, onBeforeUnmount, ref } from 'vue'
 import { useRouter } from 'vue-router'
-import { cleanError, openSettings } from '@/utils'
+import { cleanError, openSettings, sanitizeHTML, escapeHTML } from '@/utils'
 import Link from '@/components/Controls/Link.vue'
 import MultiSelect from '@/components/Controls/MultiSelect.vue'
 import Uploader from '@/components/Controls/Uploader.vue'
@@ -92,7 +92,16 @@ const props = defineProps<{
 	courses: any
 }>()
 
-const course = ref({
+type Course = {
+	title: string
+	short_introduction: string
+	description: string
+	instructors: string[]
+	category: string | null
+	image: string | null
+}
+
+const course = ref<Course>({
 	title: '',
 	short_introduction: '',
 	description: '',
@@ -101,7 +110,23 @@ const course = ref({
 	image: null,
 })
 
+const validateFields = () => {
+	course.value.description = sanitizeHTML(course.value.description)
+
+	Object.keys(course.value).forEach((key) => {
+		if (
+			key != 'description' &&
+			typeof course.value[key as keyof Course] === 'string'
+		) {
+			course.value[key as keyof Course] = escapeHTML(
+				course.value[key as keyof Course] as string
+			)
+		}
+	})
+}
+
 const saveCourse = (close: () => void = () => {}) => {
+	validateFields()
 	props.courses.insert.submit(
 		{
 			...course.value,