Steps to reproduce:
-go to runbot 8.0 and connect
-go into human ressources/job positions
-pass into list view and click on the first item
-click on the url to open this record into the website (website_published)
-go back (back into the browser)
-you're now into the form view again and then next step is to click on the button
"next" to access the following record
-click on the url of website_published
Before the fix:
wrong record, this is the previous one that is into the href
After the fix:
correct record with the correct id into the href
Closes#11800
opw:675832
This is very unlikely to be exploitable because the
alt-field usually comes from master data (e.g. product
names) that can't be injected.
Courtesy of Naglis Jonaitis
request.website.get_languages returns a list of tuple in the form:
(`language code`, `language name`)
With this commit the code first check if there is a language exactly
matching, and only if failed check if there is a match on the short
form.
closes#11613
opw-672412
The alternate languages links set in the page `<head>`
were not translated in each language, but within the language
the user is browsing the website.
This leaded to SEO referencing issues, as these links leaded
to (30x) redirections if followed, to translate the URL slug
within the new current language.
e.g.
`/fr_FR/shop/product/bose-mini-bluetooth-speaker-7`
automatically redirected to
`/fr_FR/shop/product/mini-haut-parleur-bluetooth-bose-7`
And it was the first link which was displayed as alternate link
when being in another language than French, while it should
be the second (to avoid the useless redirection).
opw-669979
Checking url_list for duplicates is O(n).
Use url_set instead of url_list to improve to O(1).
Otherwise sitemap generation even for a million products will never finish.
Close#11106
Iterator was consuming the first 45k records.
So don't need to specify an offset, because that will ignore the next 45k.
Eg: if step of 5, and range(1,13),
it will only use [1, 2, 3, 4, 5, 11, 12, 13]
Cherry-pick/backport of de8296c3a86da5e4ae35edcdb563d317dac32e76
Route with method="['POST']" should not appear in sitemap
This code had never works.
rule.method is not the list of methods declared on the endpoint but "the HTTP
method for the rule if there are different URLs for different methods on
the same endpoint" (src http://werkzeug.pocoo.org/docs/0.11/routing/)
The new code uses the method declared on endpoint and so will avoid to add
endpoint with method declared and wich doesn't support GET.
If anybody adds a new modal in the `then()` part of the promise, without
this code, all `.modal-backdrop` elements will be deleted, and further
dialogs will not be modal; with this, only the current modal's backdrop
will be deleted.
Unsetting the URL of the menu `Home`,
in Settings > Configuration > Website Settings > Configure Website,
leaded to the unavailability of the website.
opw-657572
The attribute `data-oe-*` (`data-oe-id`, `data-oe-model`, ...)
must not be added when rendering the assets, to avoid
having different assets content,
e.g. a different content for the assets_common,
according if the user is signed in or not,
if the user can edit the website or not.
A different content for an assets according to the
users rights or the user being signed in or not means
that the assets are permanently re-written in the filestore,
which is against the point of the assets.
The content of the assets (assets_common) must not be
different from time to time, it must always be the same
(except when installing a new module, obviously).
Adding the `data-oe` attributes was pointless for the assets
anyway, and prevented having an identical content all
the time, therefore rewritting the assets all the time
in the filestore.
opw-657046
When we had things like or & in a text we want to translate,
the translation system would save it unescape (so \xa0 and &).
So in this instance, the traduction would not match the real source
which was not subjected to this unescaping.
opw-653173
note: fix is courtesy of dle (no need to forward port after saas-6)
This is possible to have a child menu without URL.
The condition checking if the `active` class
must be added or not must take that into account.
opw-653132
This is not impossible to have a submenu without URL.
The condition to set the menu item as active or not
must therefore take that into account.
opw-652688
Use the parameter zoom as in `google_map_img`
Change the default value to 10 to avoid changing the behaviour for existing
links (zoom was not used anyway).
Closes#8318
jQuery has a special behaviour when using .contents() over an iframe
object. This caused an error for escaping when saving the page with an
iframe content of an external domain.
introduced by 8c77c711
opw-649570
Add multilang=False to website_image controller to prevent redirects
Because website_image is decorated with website=True
Requests made for the product image at
`/website/image/product.template/xx_xx/..`
triggered redirections to add the language code to the
requests URLs. This redirection was useless, as setting
the language code for images is non-sense.
Adding `websitelang=False` prevents this redirection.
In addition, the redirection could lead to
SSL security concerns, as the redirection
could use the http:// scheme.
Closes#8515
In 7d40a7d, f820c07, 3ed0628 the way the mobile preview iframe is set
was altered several times. This left an inconsistent needless page load.
This page load was cancelled, but as a side effect in a given set of
conditions:
- an ajax request is done early in current (and so iframe) page,
- phantomjs is used for the test,
- server response time
this could lead to a false positive caused by a cancelled xhr request
throwing the error: "Can't load template, http status 0".
Escape text nodes changed via the web editor before sending the content
it to the server controller.
It is done since the content is unescaped one time when being displayed,
and it is not done for inline style and script tags (which may be
injected by dropping a snippet) since that would break them.
replacing the solution in cdb900044.
1. A menu with `/page/website.***` should be flagged as `active`
if the current url is `/page/***`. This is a retro-compatibility
patch for c9d41679fb, so the
menu is marked as active without having to rename it, by
removing this `website.` thing.
2. If you defined two menus with as url `/page/test` and `/page/test2`
Both menus were flagged as `active` when you browsed the url
`/page/test2`, because it started by both menus urls.
Fixes#3059Closes#3070
In the top menu bar, the `active` class is set when the
menu url matches the page url (the url in the browser url bar)
A while ago, we made so all urls
`/page/website.***'
were automatically redirected to
`/page/****`
Therefore, if the menu url still contains this `website.` prefix,
the active class wasn't set on it, while it should.
Fixes#3059Closes#3070
When saving a template in version 8.0, html would be saved as it should
be displayed once on the site. In particular, if some text should be
escaped once send to the browser, it will be saved as such.
But when rendering, a text node content is unescaped two times:
* for translation which seems wrong since we already use .text of a node
which already escaped it, doing it one more time is bad,
* when rendering the template, since the html template is stored in xml,
This commit remove superfluous unescaping for translation, and add an
escaping when saving the changed template content.
closes#7967
opw-646889
Pasting from the website to the website could for example copy
t-field="..." which then would easily add an error if e.g a field
is copied to an area where it is not available.
This fix strip the data-oe-... attributes of nodes added to the DOM
when pasting.
closes#7653
opw-644968
Commit 4ff1af4 moves the groups attributes on the ir ui view/template.
So the option is no more available in customize menu if user is logged.
No luck, because when your are not logged you don't have the menu.
Groups on template are the best practice to hide the content of a view
to a group of poeple, except in this case where a customize_show is set
to True.
Maybe that customize_show should ignore groups on ir ui view in a future
version ?
Javascript regex \b is not unicode aware,
and words beginning or ending by accents won't match \b
We therefore use a custom regex to replace \b.
Basically, it's a regex matching all words separators
such as dot, comma, spaces, etc. and other unicode
separators as well.
opw-641005
A user (other than the admin) part of the group 'Manage QWeb views'
and the group 'Administration Settings' couldn't edit
any other view than QWeb views.
opw-640376
In website template,
it was not possible to use the variable "lang",
containing the current language,
as the variable was overwrote in website.layout,
in a loop context.
Changing the variable name used by the loop
solves the issue.
opw-639488
closes#6320
* Complements commits a696913364 and
21d4b3fda9 by adding the missing `data-lang`
attribute also in the report layout (in saas-6 a single QWeb
template is used for language links in both reports and website
layouts).
* Fix the "Edit Master" link to work also for outdated templates
where the data-lang attribute is dynamically set to 'default',
and thus cannot be used as URL prefix -> use /website/lang
controller to switch lang instead.
Depending on the area (in this case a html field), the editor can escape
the url which wasn't taken into account by this widget.
closes#6726
opw-639852
Improves aea358ca67 and avoid spurious
redirects for URLs that do not match a controller but do not
have a valid language.
When the URL does not match any controller, the language
matcher tried to strip the leading path component, treating
it as a language code. For example:
/fr_BE/page/homepage
would not match any route, so it would be rerouted internally
as /page/homepage, after setting `request.lang` to fr_BE.
This breaks the magical 404 handler that allows ir.attachment
entries to be mapped to static URLs. Due to the internal rerouting,
the mapping of e.g. /website_mycompany/static/src/image/logo.png
would be rerouted to /static/src/image/logo.png and not match
the mapped URL anymore.
Now the stripping of the path component will only occur if
that path component matches an installed language code.
The consequence is that URLs containing uninstalled language codes
will now lead to 404 errors - an acceptable trade-off (e.g.
when an older version of the website is still indexed by a search
engine)
when closing a modal, the class 'modal-open' was removed from the
'body' tag and all the existing modals became not scrollable.
The class 'modal-open' must be kept in the 'body' tag if there is
still a visible modal in the dom.
Inspired from commit: dee000be14
opw:633801