[FIX] qweb: escape alt-field properly in image widget
This is very unlikely to be exploitable because the alt-field usually comes from master data (e.g. product names) that can't be injected. Courtesy of Naglis Jonaitis
This commit is contained in:
parent
dc3f1e2211
commit
1d25fe1e05
|
@ -300,7 +300,7 @@ class Image(orm.AbstractModel):
|
|||
src = self.pool['website'].image_url(cr, uid, record, field_name, max_size)
|
||||
alt = None
|
||||
if options.get('alt-field') and getattr(record, options['alt-field'], None):
|
||||
alt = record[options['alt-field']]
|
||||
alt = escape(record[options['alt-field']])
|
||||
elif options.get('alt'):
|
||||
alt = options['alt']
|
||||
img = '<img class="%s" src="%s" style="%s"%s/>' % (classes, src, options.get('style', ''), ' alt="%s"' % alt if alt else '')
|
||||
|
|
Loading…
Reference in New Issue