fix(templates): escape attachment file_url and file_name in order.html and projects.html

diptanilsaha · mergify[bot] · commit 38bc5d69cdec · 2026-03-25T09:28:36.000Z
(cherry picked from commit d9760bb)
diff --git a/erpnext/templates/pages/order.html b/erpnext/templates/pages/order.html
@@ -140,7 +140,7 @@ <h3 class="m-0">{{ doc.name }}</h3>
 				<div class="col-sm-12">
 					{% for attachment in attachments %}
 					<p class="small">
-						<a href="{{ attachment.file_url }}" target="blank"> {{ attachment.file_name }} </a>
+						<a href="{{ attachment.file_url|e }}" target="blank"> {{ attachment.file_name|e }} </a>
 					</p>
 					{% endfor %}
 				</div>
diff --git a/erpnext/templates/pages/projects.html b/erpnext/templates/pages/projects.html
@@ -82,11 +82,11 @@ <h4>{{ _("Attachments") }}</h4>
     <div class="project-attachments">
       {% for attachment in doc.attachments %}
         <div class="attachment">
-          <a class="no-decoration attachment-link" href="{{ attachment.file_url }}" target="blank">
+          <a class="no-decoration attachment-link" href="{{ attachment.file_url|e }}" target="blank">
             <div class="row">
               <div class="col-xs-9">
                 <span class="indicator red file-name">
-                  {{ attachment.file_name }}</span>
+                  {{ attachment.file_name|e }}</span>
               </div>
               <div class="col-xs-3">
                 <span class="pull-right file-size">{{ attachment.file_size }}</span>
