fix(blog): Fix possible reflected XSS attack vector

omirajkar · Mar 30, 2019 · 2fa19c2 · 2fa19c2
1 parent 4a5536c
commit 2fa19c2
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/frappe/website/doctype/blog_post/blog_post.py b/frappe/website/doctype/blog_post/blog_post.py
@@ -7,7 +7,7 @@
 from frappe import _
 from frappe.website.website_generator import WebsiteGenerator
 from frappe.website.render import clear_cache
-from frappe.utils import today, cint, global_date_format, get_fullname, strip_html_tags, markdown
+from frappe.utils import today, cint, global_date_format, get_fullname, strip_html_tags, markdown, sanitize_html
 from frappe.website.utils import find_first_image, get_comment_list
 
 class BlogPost(WebsiteGenerator):
@@ -95,7 +95,7 @@ def get_list_context(context=None):
 		title = _('Blog')
 	)
 
-	category = frappe.local.form_dict.blog_category or frappe.local.form_dict.category
+	category = sanitize_html(frappe.local.form_dict.blog_category or frappe.local.form_dict.category)
 	if category:
 		category_title = get_blog_category(category)
 		list_context.sub_title = _("Posts filed under {0}").format(category_title)
@@ -107,7 +107,7 @@ def get_list_context(context=None):
 		list_context.title = blogger
 
 	elif frappe.local.form_dict.txt:
-		list_context.sub_title = _('Filtered by "{0}"').format(frappe.local.form_dict.txt)
+		list_context.sub_title = _('Filtered by "{0}"').format(sanitize_html(frappe.local.form_dict.txt))
 
 	if list_context.sub_title:
 		list_context.parents = [{"name": _("Home"), "route": "/"},