Errors due to a single quote in Supplier's name

[brownharryb]

A particular supplier's name on our system contains a single quote("... int'l...") and this is giving errors when the supplier tries to submit their quotation for an rfq earlier sent out. The error comes from this line of code.

https://github.com/frappe/erpnext/blob/develop/erpnext/templates/pages/rfq.py#L32

I think this is clearly a bug. An immediate solution to this might be to use double quotes for the "{supplier}" in the sql statement. But a proper way of sanitizing these parameters might not be a bad idea.

Regards.

[tundebabzy]

Hello @brownharryb Please update with the error thrown. I'll need this for proper testing

[brownharryb]

[tundebabzy]

Hello @brownharryb I have already pushed a PR that escapes the Sql query. Please add the full trace back so I can be sure of what's going on

[brownharryb]

Hi @tundebabzy I really don't have the traceback, but I can give a trace of what occurred. From https://github.com/frappe/erpnext/blob/develop/erpnext/templates/pages/rfq.py

The get_context(context) function doesn't call update_supplier_details(context) function, so, context.doc.currency_symbol and currency.doc.buying_price_list is not set before context is pushed to the jinja template. This happens because the code stops execution at unauthorized_user(context.doc.supplier) through check_supplier_has_docname_access(supplier) that has the sql statement. The jinja template engine just renders the error{{no such element ...}} as plain text for both doc.currency_symbol and doc.buying_price_list which is visible to the user. Then, when the user tries to submit the form, the system calls

https://github.com/frappe/erpnext/blob/develop/erpnext/setup/utils.py#L58 with from_currency as {{no such element ...}} and https://github.com/frappe/erpnext/blob/develop/erpnext/stock/get_item_details.py#L297 with args.price_list as {{no such element ...}}

throwing the error in the screenshot above.

Regards.