From 8fdbf2a66b17aba5d96b3419c968c5f032d00527 Mon Sep 17 00:00:00 2001
From: Olivier Dony <odo@openerp.com>
Date: Tue, 12 Feb 2013 19:15:47 +0100
Subject: [PATCH] [FIX] edi: properly escape URL parameter for import_url
 controller

lp bug: https://launchpad.net/bugs/1118601 fixed

bzr revid: odo@openerp.com-20130212181547-ktdklbz2msfkcw6h
---
 addons/edi/controllers/main.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/addons/edi/controllers/main.py b/addons/edi/controllers/main.py
index 14cd97b3e62..7e27428b63b 100644
--- a/addons/edi/controllers/main.py
+++ b/addons/edi/controllers/main.py
@@ -1,4 +1,5 @@
 import simplejson
+import urllib
 
 import openerp.addons.web.http as openerpweb
 import openerp.addons.web.controllers.main as webmain
@@ -14,11 +15,15 @@ class EDI(openerpweb.Controller):
         modules_json = simplejson.dumps(modules)
         js = "\n        ".join('<script type="text/javascript" src="%s"></script>' % i for i in webmain.manifest_list(req, modules_str, 'js'))
         css = "\n        ".join('<link rel="stylesheet" href="%s">' % i for i in webmain.manifest_list(req, modules_str, 'css'))
+
+        # `url` may contain a full URL with a valid query string, we basically want to watch out for XML brackets and double-quotes 
+        safe_url = urllib.quote_plus(url,':/?&;=')
+
         return webmain.html_template % {
             'js': js,
             'css': css,
             'modules': modules_json,
-            'init': 's.edi.edi_import("%s");' % url,
+            'init': 's.edi.edi_import("%s");' % safe_url,
         }
 
     @openerpweb.jsonrequest