From 08604812d81c42904f2eebd7f453bcdcbf060642 Mon Sep 17 00:00:00 2001 From: Simon Lejeune Date: Fri, 12 Dec 2014 15:22:33 +0100 Subject: [PATCH] [FIX] Report: html escape the error json string session.get_file appends the json to the body of the generated iframe and then tries to json.parse it by reading contentNode on the body. Exceptions from `report_download` method may contain `<` and `>`, so when json.parse tries to json.parse the contentNode, it reads only a part of the original json string. htmlescaping the json string solves the issue by preventing the content of the json string to be interpreted as html. --- addons/report/controllers/main.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/addons/report/controllers/main.py b/addons/report/controllers/main.py index d2df2b0db98..6a8f06c8d90 100644 --- a/addons/report/controllers/main.py +++ b/addons/report/controllers/main.py @@ -22,6 +22,7 @@ from openerp.addons.web.http import Controller, route, request from openerp.addons.web.controllers.main import _serialize_exception from openerp.osv import osv +from openerp.tools import html_escape import simplejson from werkzeug import exceptions, url_decode @@ -137,7 +138,7 @@ class ReportController(Controller): 'message': "Odoo Server Error", 'data': se } - return request.make_response(simplejson.dumps(error)) + return request.make_response(html_escape(simplejson.dumps(error))) @route(['/report/check_wkhtmltopdf'], type='json', auth="user") def check_wkhtmltopdf(self):