From aadc83d0d92afc88829dfbb96abfe21a60cbc1a0 Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Tue, 14 Oct 2025 18:37:59 +0530
Subject: [PATCH] fix: sanitize projects field in tasks webform (#50089)

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
(cherry picked from commit f8b50d3ffadfdcf6b0468099871944cd11c1e042)
---
 erpnext/projects/web_form/tasks/tasks.py | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/erpnext/projects/web_form/tasks/tasks.py b/erpnext/projects/web_form/tasks/tasks.py
index b42297314a9..fbd0866e0ac 100644
--- a/erpnext/projects/web_form/tasks/tasks.py
+++ b/erpnext/projects/web_form/tasks/tasks.py
@@ -1,15 +1,17 @@
+import urllib.parse
+
 import frappe
 
 
 def get_context(context):
-	if frappe.form_dict.project:
-		context.parents = [
-			{"title": frappe.form_dict.project, "route": "/projects?project=" + frappe.form_dict.project}
-		]
-		context.success_url = "/projects?project=" + frappe.form_dict.project
+	if project := frappe.form_dict.project:
+		title = frappe.utils.data.escape_html(project)
+		route = "/projects?" + urllib.parse.urlencode({"project": project})
+		context.parents = [{"title": title, "route": route}]
+		context.success_url = route
 
-	elif context.doc and context.doc.get("project"):
-		context.parents = [
-			{"title": context.doc.project, "route": "/projects?project=" + context.doc.project}
-		]
-		context.success_url = "/projects?project=" + context.doc.project
+	elif context.doc and (project := context.doc.get("project")):
+		title = frappe.utils.data.escape_html(project)
+		route = "/projects?" + urllib.parse.urlencode({"project": project})
+		context.parents = [{"title": title, "route": route}]
+		context.success_url = route