fix: sanitize projects field in tasks webform (#50089)

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
(cherry picked from commit f8b50d3ffa)

erpnext/projects/web_form/tasks/tasks.py

@@ -1,15 +1,17 @@
+import urllib.parse
+
 import frappe
 
 
 def get_context(context):
-	if frappe.form_dict.project:
-		context.parents = [
-			{"title": frappe.form_dict.project, "route": "/projects?project=" + frappe.form_dict.project}
-		]
-		context.success_url = "/projects?project=" + frappe.form_dict.project
+	if project := frappe.form_dict.project:
+		title = frappe.utils.data.escape_html(project)
+		route = "/projects?" + urllib.parse.urlencode({"project": project})
+		context.parents = [{"title": title, "route": route}]
+		context.success_url = route
 
-	elif context.doc and context.doc.get("project"):
-		context.parents = [
-			{"title": context.doc.project, "route": "/projects?project=" + context.doc.project}
-		]
-		context.success_url = "/projects?project=" + context.doc.project
+	elif context.doc and (project := context.doc.get("project")):
+		title = frappe.utils.data.escape_html(project)
+		route = "/projects?" + urllib.parse.urlencode({"project": project})
+		context.parents = [{"title": title, "route": route}]
+		context.success_url = route