From af611b1603794a8476e0001e69ebe0b398ae0b20 Mon Sep 17 00:00:00 2001 From: Jannat Patel Date: Wed, 25 Feb 2026 13:03:47 +0530 Subject: [PATCH] fix: sanitize data before creating new course or batch --- .../Batches/components/NewBatchModal.vue | 34 +++++++++++++++++-- frontend/src/pages/Courses/NewCourseModal.vue | 29 ++++++++++++++-- 2 files changed, 59 insertions(+), 4 deletions(-) diff --git a/frontend/src/pages/Batches/components/NewBatchModal.vue b/frontend/src/pages/Batches/components/NewBatchModal.vue index 825ec494..001b1e51 100644 --- a/frontend/src/pages/Batches/components/NewBatchModal.vue +++ b/frontend/src/pages/Batches/components/NewBatchModal.vue @@ -113,7 +113,7 @@ import { Button, Dialog, FormControl, TextEditor, toast } from 'frappe-ui' import { useOnboarding, useTelemetry } from 'frappe-ui/frappe' import { ref, inject, onMounted, onBeforeUnmount } from 'vue' import { useRouter } from 'vue-router' -import { cleanError, openSettings } from '@/utils' +import { cleanError, openSettings, sanitizeHTML, escapeHTML } from '@/utils' import Link from '@/components/Controls/Link.vue' import MultiSelect from '@/components/Controls/MultiSelect.vue' @@ -127,7 +127,21 @@ const props = defineProps<{ batches: any }>() -const batch = ref({ +type Batch = { + title: string + start_date: string | null + end_date: string | null + start_time: string | null + end_time: string | null + timezone: string | null + description: string + batch_details: string + instructors: string[] + category: string | null + seat_count: number +} + +const batch = ref({ title: '', start_date: null, end_date: null, @@ -141,7 +155,23 @@ const batch = ref({ seat_count: 0, }) +const validateFields = () => { + batch.value.description = sanitizeHTML(batch.value.description) + + Object.keys(batch.value).forEach((key) => { + if ( + key != 'description' && + typeof batch.value[key as keyof Batch] === 'string' + ) { + batch.value[key as keyof Batch] = escapeHTML( + batch.value[key as keyof Batch] as string + ) + } + }) +} + const saveBatch = (close: () => void = () => {}) => { + validateFields() props.batches.insert.submit( { ...batch.value, diff --git a/frontend/src/pages/Courses/NewCourseModal.vue b/frontend/src/pages/Courses/NewCourseModal.vue index 7bf30012..4e6aa1e2 100644 --- a/frontend/src/pages/Courses/NewCourseModal.vue +++ b/frontend/src/pages/Courses/NewCourseModal.vue @@ -77,7 +77,7 @@ import { Button, Dialog, FormControl, TextEditor, toast } from 'frappe-ui' import { useOnboarding, useTelemetry } from 'frappe-ui/frappe' import { inject, onMounted, onBeforeUnmount, ref } from 'vue' import { useRouter } from 'vue-router' -import { cleanError, openSettings } from '@/utils' +import { cleanError, openSettings, sanitizeHTML, escapeHTML } from '@/utils' import Link from '@/components/Controls/Link.vue' import MultiSelect from '@/components/Controls/MultiSelect.vue' import Uploader from '@/components/Controls/Uploader.vue' @@ -92,7 +92,16 @@ const props = defineProps<{ courses: any }>() -const course = ref({ +type Course = { + title: string + short_introduction: string + description: string + instructors: string[] + category: string | null + image: string | null +} + +const course = ref({ title: '', short_introduction: '', description: '', @@ -101,7 +110,23 @@ const course = ref({ image: null, }) +const validateFields = () => { + course.value.description = sanitizeHTML(course.value.description) + + Object.keys(course.value).forEach((key) => { + if ( + key != 'description' && + typeof course.value[key as keyof Course] === 'string' + ) { + course.value[key as keyof Course] = escapeHTML( + course.value[key as keyof Course] as string + ) + } + }) +} + const saveCourse = (close: () => void = () => {}) => { + validateFields() props.courses.insert.submit( { ...course.value,