odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

[FIX] correctly htmlescape data in format_cell 

* htmlescape everything coming from format_value
* use _.template instead of _.str.sprintf to more easily escape data in binary rendering
* move progressbar rendering to format_cell since it produces HTML nodes, render it via _.template

bzr revid: xmo@openerp.com-20120111095853-voaoxkvdls294q5s
This commit is contained in:
Xavier Morel 2012-01-11 10:58:53 +01:00
parent f669d740b5
commit 2b736ee2cf
1 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
addons/web/static/src/js/formats.js
View File

@ -102,10 +102,6 @@ openerp.web.format_value = function (value, descriptor, value_if_empty) {
return _.str.sprintf("%02d:%02d",
Math.floor(value),
Math.round((value % 1) * 60));
case 'progressbar':
return _.str.sprintf(
'<progress value="%.2f" max="100.0">%.2f%%</progress>',
value, value);
case 'many2one':
// name_get value format
return value[1];
@ -284,7 +280,7 @@ openerp.web.format_cell = function (row_data, column, options) {
return options.value_if_empty === undefined ? '' : options.value_if_empty;
}
switch (column.type) {
switch (column.widget || column.type) {
case "boolean":
return _.str.sprintf('<input type="checkbox" %s disabled="disabled"/>',
row_data[column.id].value ? 'checked="checked"' : '');
@ -298,15 +294,20 @@ openerp.web.format_cell = function (row_data, column, options) {
row_data[column.filename].value, {type: 'char'}));
}
}
return _.str.sprintf('<a href="%(href)s">%(text)s</a> (%(size)s)', {
return _.template('<a href="<%-href%>"><%-text%></a> (%<-size%>)', {
text: text,
href: download_url,
size: row_data[column.id].value
});
case 'progressbar':
return _.template(
'<progress value="<%-value%>" max="100"><%-value%>%</progress>', {
value: row_data[column.id].value
});
}
return openerp.web.format_value(
row_data[column.id].value, column, options.value_if_empty);
return _.escape(openerp.web.format_value(
row_data[column.id].value, column, options.value_if_empty));
}
};