odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

[FIX] website_forum: convert content of posted comment to plaintext 

HTML content should be escaped before being sanitized. Any content (link, image,
code,...) that is acceptable in usual mail.message but should not be interprated
when posted on a comment of the forum.

Fixes #3737
This commit is contained in:
Martin Trigaux 2016-06-02 16:02:48 +02:00
parent c751c129da
commit 30f06fd39e
No known key found for this signature in database
GPG Key ID: 7B0E288E7C0F83A7
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
addons/website_forum/controllers/main.py
View File

@ -347,9 +347,10 @@ class WebsiteForum(http.Controller):
cr, uid, context = request.cr, request.uid, request.context
if kwargs.get('comment') and post.forum_id.id == forum.id:
# TDE FIXME: check that post_id is the question or one of its answers
body = tools.mail.plaintext2html(kwargs['comment'])
request.registry['forum.post'].message_post(
cr, uid, post.id,
body=kwargs.get('comment'),
body=body,
type='comment',
subtype='mt_comment',
context=dict(context, mail_create_nosubscribe=True))