Minor fixes: escaped characters
diff --git a/erpnext/utilities/doctype/note/note.py b/erpnext/utilities/doctype/note/note.py
index 2db4137..e076af4 100644
--- a/erpnext/utilities/doctype/note/note.py
+++ b/erpnext/utilities/doctype/note/note.py
@@ -27,7 +27,7 @@
return """(`tabNote`.public=1 or `tabNote`.owner="{user}" or exists (
select name from `tabNote User`
where `tabNote User`.parent=`tabNote`.name
- and `tabNote User`.user="{user}"))""".format(user=user)
+ and `tabNote User`.user="{user}"))""".format(user=frappe,db.escape(user))
def has_permission(doc, ptype, user):
if doc.public == 1 or user == "Administrator":