From 1d25fe1e05d61c9b6be5d3bd25a65e5b8c4696b7 Mon Sep 17 00:00:00 2001
From: Olivier Dony <odo@openerp.com>
Date: Thu, 14 Apr 2016 10:55:37 +0200
Subject: [PATCH] [FIX] qweb: escape alt-field properly in image widget

This is very unlikely to be exploitable because the
alt-field usually comes from master data (e.g. product
names) that can't be injected.

Courtesy of Naglis Jonaitis
---
 addons/website/models/ir_qweb.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/addons/website/models/ir_qweb.py b/addons/website/models/ir_qweb.py
index 85fe6a3a2f8..27806bbe437 100644
--- a/addons/website/models/ir_qweb.py
+++ b/addons/website/models/ir_qweb.py
@@ -300,7 +300,7 @@ class Image(orm.AbstractModel):
         src = self.pool['website'].image_url(cr, uid, record, field_name, max_size)
         alt = None
         if options.get('alt-field') and getattr(record, options['alt-field'], None):
-            alt = record[options['alt-field']]
+            alt = escape(record[options['alt-field']])
         elif options.get('alt'):
             alt = options['alt']
         img = '<img class="%s" src="%s" style="%s"%s/>' % (classes, src, options.get('style', ''), ' alt="%s"' % alt if alt else '')