[FIX] double html-escaping of group titles in grouped lists (eg analysis)

bzr revid: xmo@openerp.com-20121106140519-0qnq934rr44l6kgt
2012-11-06 15:05:19 +01:00 · 2012-11-06 15:05:19 +01:00 · 4f52103aa0
parent 97455e2c2b
commit 4f52103aa0
1 changed files with 4 additions and 2 deletions
--- a/addons/web/static/src/js/view_list.js
+++ b/addons/web/static/src/js/view_list.js
@ -1306,9 +1306,11 @@ instance.web.ListView.Groups = instance.web.Class.extend( /** @lends instance.we
                        process_modifiers: false
                    });
                } catch (e) {
-                    group_label = row_data[group_column.id].value;
+                    group_label = _.str.escapeHTML(row_data[group_column.id].value);
                }
-                $group_column.text(_.str.sprintf("%s (%d)",
+                // group_label is html-clean (through format or explicit
+                // escaping if format failed), can inject straight into HTML
+                $group_column.html(_.str.sprintf("%s (%d)",
                    group_label, group.length));

                if (group.length && group.openable) {