fix(item_dashboard): escaping warehouse, item_code, stock_uom and item_name on get_data (backport #53904) (#53914)

mergify[bot] · diptanilsaha · web-flow · commit 4ac6347cc56f · 2026-03-30T09:52:17.000Z
Co-authored-by: diptanilsaha <diptanil@frappe.io> fix(item_dashboard): escaping `warehouse`, `item_code`, `stock_uom` and `item_name` on `get_data` (#53904)
diff --git a/erpnext/stock/dashboard/item_dashboard.py b/erpnext/stock/dashboard/item_dashboard.py
@@ -1,6 +1,6 @@
 import frappe
 from frappe.desk.reportview import build_match_conditions
-from frappe.utils import cint, flt
+from frappe.utils import cint, escape_html, flt
 
 from erpnext.stock.doctype.stock_reservation_entry.stock_reservation_entry import (
 	get_sre_reserved_qty_for_items_and_warehouses as get_reserved_stock_details,
@@ -70,8 +70,10 @@ def get_data(
 	for item in items:
 		item.update(
 			{
-				"item_name": frappe.get_cached_value("Item", item.item_code, "item_name"),
-				"stock_uom": frappe.get_cached_value("Item", item.item_code, "stock_uom"),
+				"item_code": escape_html(item.item_code),
+				"item_name": escape_html(frappe.get_cached_value("Item", item.item_code, "item_name")),
+				"stock_uom": escape_html(frappe.get_cached_value("Item", item.item_code, "stock_uom")),
+				"warehouse": escape_html(item.warehouse),
 				"disable_quick_entry": frappe.get_cached_value("Item", item.item_code, "has_batch_no")
 				or frappe.get_cached_value("Item", item.item_code, "has_serial_no"),
 				"projected_qty": flt(item.projected_qty, precision),
diff --git a/erpnext/stock/dashboard/item_dashboard_list.html b/erpnext/stock/dashboard/item_dashboard_list.html
@@ -50,15 +50,15 @@
 					data-warehouse="{{ d.warehouse }}"
 					data-actual_qty="{{ d.actual_qty }}"
 					data-stock-uom="{{ d.stock_uom }}"
-					data-item="{{ escape(d.item_code) }}">{{ __("Move") }}</a>
+					data-item="{{ d.item_code }}">{{ __("Move") }}</button>
 				{% endif %}
 				<button style="margin-left: 7px;" class="btn btn-default btn-xs btn-add"
 					data-disable_quick_entry="{{ d.disable_quick_entry }}"
 					data-warehouse="{{ d.warehouse }}"
 					data-actual_qty="{{ d.actual_qty }}"
 					data-stock-uom="{{ d.stock_uom }}"
-					data-item="{{ escape(d.item_code) }}"
-					data-rate="{{ d.valuation_rate }}">{{ __("Add") }}</a>
+					data-item="{{ d.item_code }}"
+					data-rate="{{ d.valuation_rate }}">{{ __("Add") }}</button>
 			</div>
 			{% endif %}
 		</div>
