[IMP] bus: unescape notification message

The title of notification is the author name escaped (for security reasons). if (message.hasAuthor()) { title = _.escape(message.getAuthorName()); } When forwarded to the system notification, it does not need to be escaped though, as the system notification is not HTML based. Without this patch, a user named "Bob's friend" sending a message was creating a notification with the title "Bob's friend" Unescaping the notification body just in case but the HTML of the body in a mail.messages should be stripped by _notifyIncomingMessage. Unescaping will just ignored unescaped characters and should do nothing on messages not escaped. Fixes odoo/odoo#24846 closes odoo/odoo#44550 Signed-off-by: Martin Trigaux (mat) <mat@odoo.com>

[IMP] bus: unescape notification message
d11ee780 · Martin Trigaux · d64bf7e6 · d11ee780
Commit d11ee780 authored 5 years ago by Martin Trigaux
--- a/addons/bus/static/src/js/services/bus_service.js
+++ b/addons/bus/static/src/js/services/bus_service.js
@@ -80,7 +80,14 @@ var BusService =  CrossTab.extend(ServicesMixin, {
     * @param {function} [callback] if given callback will be called when user clicks on notification
     */
    _sendNativeNotification: function (title, content, callback) {
-        var notification = new Notification(title, {body: content, icon: "/mail/static/src/img/odoobot_transparent.png"});
+        var notification = new Notification(
+            // The native Notification API works with plain text and not HTML
+            // unescaping is safe because done only at the **last** step
+            _.unescape(title),
+            {
+                body: _.unescape(content),
+                icon: "/mail/static/src/img/odoobot_transparent.png"
+            });
        notification.onclick = function () {
            window.focus();
            if (this.cancel) {