[7.0] Important field not escaped (Messaging / Inbox / Record Name)
Bug #1276078 reported by
Arnaud Pineux (OpenERP)
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Odoo Addons (MOVED TO GITHUB) |
Fix Released
|
High
|
Unassigned | ||
Bug Description
1) To reproduce:
- Change the name of the demo user to <script>alert('demo user')</script>
- Go on Messaging/ Inbox menu
- If there are message that concern "demo user" then you should have a popup showing "demo user"
2) Result observed:
The script is executed
3) Result expected:
The record name should be escaped or sanitized
4) Fedora/Chrome
5) Tested on 7.0 (on runbot)
Related branches
lp:~openerp-dev/openobject-addons/7.0-bug-1276078-mat
- OpenERP Core Team: Pending requested
-
Diff: 128 lines (+19/-19)2 files modifiedmail/static/src/xml/mail.xml (+17/-17)
mail/static/src/xml/mail_followers.xml (+2/-2)
| Changed in openobject-addons: | |
| status: | New → Confirmed |
| importance: | Undecided → High |
Revision history for this message
| Martin Trigaux (OpenERP) (mat-openerp) wrote | #1 |
| Changed in openobject-addons: | |
| status: | Confirmed → Fix Released |
To post a comment you must log in.
Fix merged in 7.0, thanks for the report
revno: 9807 [merge]
revision-id: <email address hidden>