[FIX] website_forum: convert content of posted comment to plaintext
HTML content should be escaped before being sanitized. Any content (link, image, code,...) that is acceptable in usual mail.message but should not be interprated when posted on a comment of the forum. Fixes #3737
This commit is contained in:
parent
c751c129da
commit
30f06fd39e
|
@ -347,9 +347,10 @@ class WebsiteForum(http.Controller):
|
|||
cr, uid, context = request.cr, request.uid, request.context
|
||||
if kwargs.get('comment') and post.forum_id.id == forum.id:
|
||||
# TDE FIXME: check that post_id is the question or one of its answers
|
||||
body = tools.mail.plaintext2html(kwargs['comment'])
|
||||
request.registry['forum.post'].message_post(
|
||||
cr, uid, post.id,
|
||||
body=kwargs.get('comment'),
|
||||
body=body,
|
||||
type='comment',
|
||||
subtype='mt_comment',
|
||||
context=dict(context, mail_create_nosubscribe=True))
|
||||
|
|
Loading…
Reference in New Issue