[FIX] qweb: escape alt-field properly in image widget

This is very unlikely to be exploitable because the alt-field usually comes from master data (e.g. product names) that can't be injected. Courtesy of Naglis Jonaitis
2016-04-14 10:55:37 +02:00 · 2016-04-14 10:55:37 +02:00 · 1d25fe1e05
parent dc3f1e2211
commit 1d25fe1e05
1 changed files with 1 additions and 1 deletions
--- a/addons/website/models/ir_qweb.py
+++ b/addons/website/models/ir_qweb.py
@ -300,7 +300,7 @@ class Image(orm.AbstractModel):
        src = self.pool['website'].image_url(cr, uid, record, field_name, max_size)
        alt = None
        if options.get('alt-field') and getattr(record, options['alt-field'], None):
-            alt = record[options['alt-field']]
+            alt = escape(record[options['alt-field']])
        elif options.get('alt'):
            alt = options['alt']
        img = '<img class="%s" src="%s" style="%s"%s/>' % (classes, src, options.get('style', ''), ' alt="%s"' % alt if alt else '')