Commit 09a7c4e4 authored 5 years ago by std-odoo Committed by Thibault Delavallée 4 years ago

[FIX] website_crm_partner_assign: escape interested partner comment


In portal an user can say he is interested by a lead and take it. He can also
post a comment. However this comment was not escaped, leading to possible
html injection.

As this comment is used to post a message no real issue occurs. It is sanitized
and behaves like every html content used in message_post. However we do not
want to support html here and therefore escape the content given to message
post.

Task ID 2228921

closes odoo/odoo#49521

Signed-off-by: Thibault Delavallee (tde) <tde@openerp.com>

parent ffd62d2e

No related branches found

No related tags found

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 4 additions and 2 deletions

Please register or to comment