From 35233dbbe219297df919dd7670188420c0afd0ca Mon Sep 17 00:00:00 2001
From: Christophe Simonis <chs@odoo.com>
Date: Fri, 11 Sep 2015 16:42:47 +0200
Subject: [PATCH] [FIX] core: tools.html_sanitize: allow svg images

---
 openerp/tools/mail.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/openerp/tools/mail.py b/openerp/tools/mail.py
index 693dbecaaf6..f8e46c362f4 100644
--- a/openerp/tools/mail.py
+++ b/openerp/tools/mail.py
@@ -54,6 +54,12 @@ safe_attrs = clean.defs.safe_attrs | frozenset(
      ])
 
 
+class _Cleaner(clean.Cleaner):
+    def allow_element(self, el):
+        if el.tag == 'object' and el.get('type') == "image/svg+xml":
+            return True
+        return super(_Cleaner, self).allow_element(el)
+
 def html_sanitize(src, silent=True, strict=False, strip_style=False):
     if not src:
         return src
@@ -99,7 +105,7 @@ def html_sanitize(src, silent=True, strict=False, strip_style=False):
 
     try:
         # some corner cases make the parser crash (such as <SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> in test_mail)
-        cleaner = clean.Cleaner(**kwargs)
+        cleaner = _Cleaner(**kwargs)
         cleaned = cleaner.clean_html(src)
         # MAKO compatibility: $, { and } inside quotes are escaped, preventing correct mako execution
         cleaned = cleaned.replace('%24', '$')