diff --git a/addons/edi/controllers/main.py b/addons/edi/controllers/main.py
index 14cd97b3e62..7e27428b63b 100644
--- a/addons/edi/controllers/main.py
+++ b/addons/edi/controllers/main.py
@@ -1,4 +1,5 @@
import simplejson
+import urllib
import openerp.addons.web.http as openerpweb
import openerp.addons.web.controllers.main as webmain
@@ -14,11 +15,15 @@ class EDI(openerpweb.Controller):
modules_json = simplejson.dumps(modules)
js = "\n ".join('' % i for i in webmain.manifest_list(req, modules_str, 'js'))
css = "\n ".join('' % i for i in webmain.manifest_list(req, modules_str, 'css'))
+
+ # `url` may contain a full URL with a valid query string, we basically want to watch out for XML brackets and double-quotes
+ safe_url = urllib.quote_plus(url,':/?&;=')
+
return webmain.html_template % {
'js': js,
'css': css,
'modules': modules_json,
- 'init': 's.edi.edi_import("%s");' % url,
+ 'init': 's.edi.edi_import("%s");' % safe_url,
}
@openerpweb.jsonrequest