[fix] injection

2026-02-12 17:23:38 +00:00 · 2015-12-01 17:16:55 +05:30
parent 8320f758be
commit 10e1452450
2 changed files with 17 additions and 17 deletions
--- a/erpnext/accounts/page/accounts_browser/accounts_browser.py
+++ b/erpnext/accounts/page/accounts_browser/accounts_browser.py
@@ -11,42 +11,42 @@ from erpnext.accounts.report.financial_statements import sort_root_accounts
@frappe.whitelist()
 def get_companies():
 	"""get a list of companies based on permission"""
-	return [d.name for d in frappe.get_list("Company", fields=["name"], 
+	return [d.name for d in frappe.get_list("Company", fields=["name"],
 		order_by="name")]

@frappe.whitelist()
 def get_children():
 	args = frappe.local.form_dict
 	ctype, company = args['ctype'], args['comp']
-	
+
 	# root
 	if args['parent'] in ("Accounts", "Cost Centers"):
 		select_cond = ", root_type, report_type" if args["parent"]=="Accounts" else ""
-		acc = frappe.db.sql(""" select 
+		acc = frappe.db.sql(""" select
 			name as value, if(group_or_ledger='Group', 1, 0) as expandable %s
 			from `tab%s`
-			where ifnull(parent_%s,'') = ''
-			and `company` = %s	and docstatus<2 
-			order by name""" % (select_cond, ctype, ctype.lower().replace(' ','_'), '%s'),
+			where ifnull(`parent_%s`,'') = ''
+			and `company` = %s	and docstatus<2
+			order by name""" % (select_cond, frappe.db.escape(ctype), frappe.db.escape(ctype.lower().replace(' ','_')), '%s'),
 				company, as_dict=1)
-				
+
 		if args["parent"]=="Accounts":
 			sort_root_accounts(acc)
-	else:	
+	else:
 		# other
-		acc = frappe.db.sql("""select 
+		acc = frappe.db.sql("""select
 			name as value, if(group_or_ledger='Group', 1, 0) as expandable
-	 		from `tab%s` 
-			where ifnull(parent_%s,'') = %s
-			and docstatus<2 
-			order by name""" % (ctype, ctype.lower().replace(' ','_'), '%s'),
+	 		from `tab%s`
+			where ifnull(`parent_%s`,'') = %s
+			and docstatus<2
+			order by name""" % (frappe.db.escape(ctype), frappe.db.escape(ctype.lower().replace(' ','_')), '%s'),
 				args['parent'], as_dict=1)
-				
+
 	if ctype == 'Account':
 		currency = frappe.db.sql("select default_currency from `tabCompany` where name = %s", company)[0][0]
 		for each in acc:
 			bal = get_balance_on(each.get("value"))
 			each["currency"] = currency
 			each["balance"] = flt(bal)
-		
+
 	return acc
--- a/erpnext/accounts/utils.py
+++ b/erpnext/accounts/utils.py
@@ -50,7 +50,7 @@ def get_balance_on(account=None, date=None):

 	cond = []
 	if date:
-		cond.append("posting_date <= '%s'" % date)
+		cond.append("posting_date <= '%s'" % frappe.db.escape(date))
 	else:
 		# get balance of all entries that exist
 		date = nowdate()
@@ -79,7 +79,7 @@ def get_balance_on(account=None, date=None):
 			and ac.lft >= %s and ac.rgt <= %s
 		)""" % (acc.lft, acc.rgt))
 	else:
-		cond.append("""gle.account = "%s" """ % (account.replace('"', '\\"'), ))
+		cond.append("""gle.account = "%s" """ % (frappe.db.escape(account), ))

 	bal = frappe.db.sql("""
 		SELECT sum(ifnull(debit, 0)) - sum(ifnull(credit, 0))