fix: prevent stored XSS decoding in _lms.py

2026-04-19 22:52:29 +03:00 · 2026-03-12 00:37:29 +05:30
parent 82f0bb40ef
commit efda159191
1 changed files with 6 additions and 5 deletions
--- a/lms/www/_lms.py
+++ b/lms/www/_lms.py
@@ -3,6 +3,7 @@ import re
 import frappe
 from bs4 import BeautifulSoup
 from frappe import _
+from frappe.utils.data import escape_html
 from frappe.utils.telemetry import capture

 from lms.lms.utils import get_lms_path, get_lms_route
@@ -109,7 +110,7 @@ def get_meta_from_document(app_path):

 		if course.description:
 			soup = BeautifulSoup(course.description, "html.parser")
-			course.description = soup.get_text()
+			course.description = escape_html(soup.get_text())

 		return {
 			"title": course.title,
@@ -136,7 +137,7 @@ def get_meta_from_document(app_path):

 		if batch.batch_details:
 			soup = BeautifulSoup(batch.batch_details, "html.parser")
-			batch.batch_details = soup.get_text()
+			batch.batch_details = escape_html(soup.get_text())

 		return {
 			"title": batch.title,
@@ -163,7 +164,7 @@ def get_meta_from_document(app_path):

 		if batch.batch_details:
 			soup = BeautifulSoup(batch.batch_details, "html.parser")
-			batch.batch_details = soup.get_text()
+			batch.batch_details = escape_html(soup.get_text())

 		return {
 			"title": batch.title,
@@ -191,7 +192,7 @@ def get_meta_from_document(app_path):

 		if job_opening.description:
 			soup = BeautifulSoup(job_opening.description, "html.parser")
-			job_opening.description = soup.get_text()
+			job_opening.description = escape_html(soup.get_text())

 		return {
 			"title": job_opening.job_title,
@@ -221,7 +222,7 @@ def get_meta_from_document(app_path):

 		if user.bio:
 			soup = BeautifulSoup(user.bio, "html.parser")
-			user.bio = soup.get_text()
+			user.bio = escape_html(soup.get_text())

 		return {
 			"title": user.full_name,