[FIX] edi: properly escape URL parameter for import_url controller
lp bug: https://launchpad.net/bugs/1118601 fixed bzr revid: odo@openerp.com-20130212181547-ktdklbz2msfkcw6h
This commit is contained in:
parent
0e6cbee68c
commit
8fdbf2a66b
|
@ -1,4 +1,5 @@
|
|||
import simplejson
|
||||
import urllib
|
||||
|
||||
import openerp.addons.web.http as openerpweb
|
||||
import openerp.addons.web.controllers.main as webmain
|
||||
|
@ -14,11 +15,15 @@ class EDI(openerpweb.Controller):
|
|||
modules_json = simplejson.dumps(modules)
|
||||
js = "\n ".join('<script type="text/javascript" src="%s"></script>' % i for i in webmain.manifest_list(req, modules_str, 'js'))
|
||||
css = "\n ".join('<link rel="stylesheet" href="%s">' % i for i in webmain.manifest_list(req, modules_str, 'css'))
|
||||
|
||||
# `url` may contain a full URL with a valid query string, we basically want to watch out for XML brackets and double-quotes
|
||||
safe_url = urllib.quote_plus(url,':/?&;=')
|
||||
|
||||
return webmain.html_template % {
|
||||
'js': js,
|
||||
'css': css,
|
||||
'modules': modules_json,
|
||||
'init': 's.edi.edi_import("%s");' % url,
|
||||
'init': 's.edi.edi_import("%s");' % safe_url,
|
||||
}
|
||||
|
||||
@openerpweb.jsonrequest
|
||||
|
|
Loading…
Reference in New Issue