From 4479b93c1a80b175e91077c7fca0b2437bc46331 Mon Sep 17 00:00:00 2001 From: Pranav Nachnekar Date: Thu, 9 Jan 2020 06:52:11 +0000 Subject: [PATCH] fix: escape % in customer name (#20203) * fix: add new delivery note button in Sales Order * fix: escape % in customer name * Update sales_order.js Co-authored-by: Nabin Hait --- .../doctype/authorization_control/authorization_control.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/erpnext/setup/doctype/authorization_control/authorization_control.py b/erpnext/setup/doctype/authorization_control/authorization_control.py index 7db703fadf5..6a184b1a166 100644 --- a/erpnext/setup/doctype/authorization_control/authorization_control.py +++ b/erpnext/setup/doctype/authorization_control/authorization_control.py @@ -76,7 +76,7 @@ class AuthorizationControl(TransactionBase): add_cond = '' auth_value = av_dis - if val == 1: add_cond += " and system_user = '"+session['user'].replace("'", "\\'")+"'" + if val == 1: add_cond += " and system_user = '"+ frappe.db.escape(session['user']) +"'" elif val == 2: add_cond += " and system_role IN %s" % ("('"+"','".join(frappe.get_roles())+"')") else: add_cond += " and ifnull(system_user,'') = '' and ifnull(system_role,'') = ''" @@ -85,7 +85,7 @@ class AuthorizationControl(TransactionBase): if doc_obj: if doc_obj.doctype == 'Sales Invoice': customer = doc_obj.customer else: customer = doc_obj.customer_name - add_cond = " and master_name = '"+cstr(customer).replace("'", "\\'")+"'" + add_cond = " and master_name = '"+ frappe.db.escape(customer) +"'" if based_on == 'Itemwise Discount': if doc_obj: for t in doc_obj.get("items"):