[FIX] mail: escape user and partner names before being rendered in mail widgets

[odoo/odoo.git] / addons / mail / static / src / xml / mail.xml

diff --git a/addons/mail/static/src/xml/mail.xml b/addons/mail/static/src/xml/mail.xml
index f500494..752806e 100644 (file)
--- a/addons/mail/static/src/xml/mail.xml
+++ b/addons/mail/static/src/xml/mail.xml
@@ -249,9 +249,9 @@
                 <div class="oe_msg_content">
                     <h1 t-if="(widget.show_record_name or widget.subject) and !widget.thread_level" class="oe_msg_title">
                         <a t-if="widget.options.show_link and widget.show_record_name" class="oe_mail_action_model" t-attf-href="#model=#{widget.model}&amp;id=#{widget.res_id}">
-                            <t t-raw="widget.record_name"/>
+                            <t t-esc="widget.record_name"/>
                         </a>
-                        <span t-if="!widget.options.show_link and widget.show_record_name"><t t-raw="widget.record_name"/></span>
+                        <span t-if="!widget.options.show_link and widget.show_record_name"><t t-esc="widget.record_name"/></span>
                         <t t-if="widget.show_record_name and widget.subject">: </t>
                         <t t-if="widget.subject" t-raw="widget.subject"/>
                     </h1>
@@ -263,8 +263,8 @@
                     <t t-if="widget.attachment_ids.length > 0">
                         <div class="oe_msg_attachment_list"></div>
                     </t>
-                    <a t-if="widget.author_id and widget.options.show_link and widget.author_id[0]" t-attf-href="#model=res.partner&amp;id=#{widget.author_id[0]}"><t t-raw="widget.author_id[2]"/></a>
-                    <span t-if="widget.author_id and (!widget.options.show_link or !widget.author_id[0])"><t t-raw="widget.author_id[2]"/></span>
+                    <a t-if="widget.author_id and widget.options.show_link and widget.author_id[0]" t-attf-href="#model=res.partner&amp;id=#{widget.author_id[0]}"><t t-esc="widget.author_id[2]"/></a>
+                    <span t-if="widget.author_id and (!widget.options.show_link or !widget.author_id[0])"><t t-esc="widget.author_id[2]"/></span>
                     <t t-if="widget.type == 'notification'">
                         updated document
                         <t t-if="widget.partner_ids.length > 0">
@@ -283,8 +283,8 @@
                     <t t-if="widget.type == 'notification' or ( (widget.type == 'email' or widget.type == 'comment') and widget.subtype)"
                             t-foreach="widget.partner_ids.slice(0, 3)" t-as="partner">
                         <span t-attf-class="oe_partner_follower">
-                        <a t-if="widget.options.show_link" t-attf-href="#model=res.partner&amp;id=#{partner[0]}"><t t-raw="partner[1]"/></a>
-                        <t t-if="!widget.options.show_link" t-raw="partner[1]"/>
+                        <a t-if="widget.options.show_link" t-attf-href="#model=res.partner&amp;id=#{partner[0]}"><t t-esc="partner[1]"/></a>
+                        <t t-if="!widget.options.show_link" t-esc="partner[1]"/>
                         </span>
                         <t t-if="!partner_last">,</t>
                     </t>