From a3b9994a3e33efdd770a2ecd15320e59255bde08 Mon Sep 17 00:00:00 2001 From: Xavier Morel Date: Tue, 18 Jun 2013 13:10:59 +0200 Subject: [PATCH] [FIX] correctly escape labels in search view completion lp bug: https://launchpad.net/bugs/1191699 fixed bzr revid: xmo@openerp.com-20130618111059-v7tx4kpzv72c9pz0 --- addons/web/static/src/js/search.js | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/addons/web/static/src/js/search.js b/addons/web/static/src/js/search.js index 2097cd62434..07d1407392e 100644 --- a/addons/web/static/src/js/search.js +++ b/addons/web/static/src/js/search.js @@ -1181,7 +1181,7 @@ instance.web.search.FilterGroup = instance.web.search.Input.extend(/** @lends in return $.when(_.map(facet_values, function (facet_value) { return { label: _.str.sprintf(self.completion_label.toString(), - facet_value.label), + _.escape(facet_value.label)), facet: self.make_facet([facet_value]) } })); @@ -1349,8 +1349,8 @@ instance.web.search.CharField = instance.web.search.Field.extend( /** @lends ins if (_.isEmpty(value)) { return $.when(null); } var label = _.str.sprintf(_.str.escapeHTML( _t("Search %(field)s for: %(value)s")), { - field: '' + this.attrs.string + '', - value: '' + _.str.escapeHTML(value) + ''}); + field: '' + _.escape(this.attrs.string) + '', + value: '' + _.escape(value) + ''}); return $.when([{ label: label, facet: { @@ -1367,8 +1367,8 @@ instance.web.search.NumberField = instance.web.search.Field.extend(/** @lends in if (isNaN(val)) { return $.when(); } var label = _.str.sprintf( _t("Search %(field)s for: %(value)s"), { - field: '' + this.attrs.string + '', - value: '' + _.str.escapeHTML(value) + ''}); + field: '' + _.escape(this.attrs.string) + '', + value: '' + _.escape(value) + ''}); return $.when([{ label: label, facet: { @@ -1456,13 +1456,13 @@ instance.web.search.SelectionField = instance.web.search.Field.extend(/** @lends }) .map(function (sel) { return { - label: sel[1], + label: _.escape(sel[1]), facet: facet_from(self, sel) }; }).value(); if (_.isEmpty(results)) { return $.when(null); } return $.when.call(null, [{ - label: this.attrs.string + label: _.escape(this.attrs.string) }].concat(results)); }, facet_for: function (value) { @@ -1500,7 +1500,7 @@ instance.web.search.DateField = instance.web.search.Field.extend(/** @lends inst var date_string = instance.web.format_value(d, this.attrs); var label = _.str.sprintf(_.str.escapeHTML( _t("Search %(field)s at: %(value)s")), { - field: '' + this.attrs.string + '', + field: '' + _.escape(this.attrs.string) + '', value: '' + date_string + ''}); return $.when([{ label: label, @@ -1547,10 +1547,10 @@ instance.web.search.ManyToOneField = instance.web.search.CharField.extend({ context: context }).then(function (results) { if (_.isEmpty(results)) { return null; } - return [{label: self.attrs.string}].concat( + return [{label: _.escape(self.attrs.string)}].concat( _(results).map(function (result) { return { - label: result[1], + label: _.escape(result[1]), facet: facet_from(self, result) }; }));