From 30f06fd39e856a97c5aed7cff461e1bb207232bc Mon Sep 17 00:00:00 2001
From: Martin Trigaux <mat@odoo.com>
Date: Thu, 2 Jun 2016 16:02:48 +0200
Subject: [PATCH] [FIX] website_forum: convert content of posted comment to
 plaintext

HTML content should be escaped before being sanitized. Any content (link, image,
code,...) that is acceptable in usual mail.message but should not be interprated
when posted on a comment of the forum.

Fixes #3737
---
 addons/website_forum/controllers/main.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/addons/website_forum/controllers/main.py b/addons/website_forum/controllers/main.py
index 4323e03720f..95a8062e37b 100644
--- a/addons/website_forum/controllers/main.py
+++ b/addons/website_forum/controllers/main.py
@@ -347,9 +347,10 @@ class WebsiteForum(http.Controller):
         cr, uid, context = request.cr, request.uid, request.context
         if kwargs.get('comment') and post.forum_id.id == forum.id:
             # TDE FIXME: check that post_id is the question or one of its answers
+            body = tools.mail.plaintext2html(kwargs['comment'])
             request.registry['forum.post'].message_post(
                 cr, uid, post.id,
-                body=kwargs.get('comment'),
+                body=body,
                 type='comment',
                 subtype='mt_comment',
                 context=dict(context, mail_create_nosubscribe=True))