[FIX] double htmlescaping in m2o fields when selecting an autocomplete choice

When providing values to the autocomplete, there are two keys used by
the autocomplete system itself:
* A mandatory label
* An optional value

If the value is not specified, the autocomplete will use the label
*but* it will htmlescape the label's value before setting it on the
input, while the provided label is raw HTML.

While this protects the input, if the label was already htmlescaped
(because it's user-provided data and may contain e.g. ampersands) in
order not to break the autocompletion list, it will end up
double-escaped with e.g. `&` characters replaced by `&` in
user-visible text.

The fix is to use the `value` key and set it to unescaped text data,
the widget will escape it before setting it on the field yielding the
correct user-facing result.

lp bug: https://launchpad.net/bugs/922666 fixed

bzr revid: xmo@openerp.com-20120131090226-8r64u4w3bb36se7n

diff --git a/addons/web/static/src/js/view_form.js b/addons/web/static/src/js/view_form.js
index 206da19..8a60973 100644 (file)
--- a/addons/web/static/src/js/view_form.js
+++ b/addons/web/static/src/js/view_form.js
@@ -1892,7 +1892,12 @@ openerp.web.form.FieldMany2One = openerp.web.form.Field.extend({
             self.last_search = data;
             // possible selections for the m2o
             var values = _.map(data, function(x) {
-                return {label: $('<span />').text(x[1]).html(), name:x[1], id:x[0]};
+                return {
+                    label: _.str.escapeHTML(x[1]),
+                    value:x[1],
+                    name:x[1],
+                    id:x[0]
+                };
             });
 
             // search more... if more results that max