From efda1591917b69b1588f9a0a0bd288e57827fe22 Mon Sep 17 00:00:00 2001 From: raizasafeel <89463672+raizasafeel@users.noreply.github.com> Date: Thu, 12 Mar 2026 00:37:29 +0530 Subject: [PATCH] fix: prevent stored XSS decoding in _lms.py --- lms/www/_lms.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/lms/www/_lms.py b/lms/www/_lms.py index 1aca0b9f..2e9dd837 100644 --- a/lms/www/_lms.py +++ b/lms/www/_lms.py @@ -3,6 +3,7 @@ import re import frappe from bs4 import BeautifulSoup from frappe import _ +from frappe.utils.data import escape_html from frappe.utils.telemetry import capture from lms.lms.utils import get_lms_path, get_lms_route @@ -109,7 +110,7 @@ def get_meta_from_document(app_path): if course.description: soup = BeautifulSoup(course.description, "html.parser") - course.description = soup.get_text() + course.description = escape_html(soup.get_text()) return { "title": course.title, @@ -136,7 +137,7 @@ def get_meta_from_document(app_path): if batch.batch_details: soup = BeautifulSoup(batch.batch_details, "html.parser") - batch.batch_details = soup.get_text() + batch.batch_details = escape_html(soup.get_text()) return { "title": batch.title, @@ -163,7 +164,7 @@ def get_meta_from_document(app_path): if batch.batch_details: soup = BeautifulSoup(batch.batch_details, "html.parser") - batch.batch_details = soup.get_text() + batch.batch_details = escape_html(soup.get_text()) return { "title": batch.title, @@ -191,7 +192,7 @@ def get_meta_from_document(app_path): if job_opening.description: soup = BeautifulSoup(job_opening.description, "html.parser") - job_opening.description = soup.get_text() + job_opening.description = escape_html(soup.get_text()) return { "title": job_opening.job_title, @@ -221,7 +222,7 @@ def get_meta_from_document(app_path): if user.bio: soup = BeautifulSoup(user.bio, "html.parser") - user.bio = soup.get_text() + user.bio = escape_html(soup.get_text()) return { "title": user.full_name,