[fix] allow a method to be defined as xss_safe

frappe/__init__.py

@@ -353,7 +353,8 @@ def sendmail(recipients=(), sender="", subject="No Subject", message="No Message
 logger = None
 whitelisted = []
 guest_methods = []
-def whitelist(allow_guest=False):
+xss_safe_methods = []
+def whitelist(allow_guest=False, xss_safe=False):
 	"""
 	Decorator for whitelisting a function and making it accessible via HTTP.
 	Standard request will be `/api/method/[path.to.method]`
@@ -373,6 +374,9 @@ def whitelist(allow_guest=False):
 		if allow_guest:
 			guest_methods.append(fn)
 
+			if xss_safe:
+				xss_safe_methods.append(fn)
+
 		return fn
 
 	return innerfn

frappe/handler.py

@@ -93,12 +93,13 @@ def execute_cmd(cmd, from_async=False):
 			frappe.msgprint(_("Not permitted"))
 			raise frappe.PermissionError('Not Allowed, {0}'.format(method))
 
-		# strictly sanitize form_dict
-		# escapes html characters like <> except for predefined tags like a, b, ul etc.
-		# if required, we can add more whitelisted tags like div, p, etc. (see its documentation)
-		for key, value in frappe.form_dict.items():
-			if isinstance(value, basestring):
-				frappe.form_dict[key] = bleach.clean(value)
+		if method not in frappe.xss_safe_methods:
+			# strictly sanitize form_dict
+			# escapes html characters like <> except for predefined tags like a, b, ul etc.
+			# if required, we can add more whitelisted tags like div, p, etc. (see its documentation)
+			for key, value in frappe.form_dict.items():
+				if isinstance(value, basestring):
+					frappe.form_dict[key] = bleach.clean(value)
 
 	else:
 		if not method in frappe.whitelisted: