From 2a5372f81748509cbc23162186377e530977d7c0 Mon Sep 17 00:00:00 2001 From: Akim Juillerat Date: Thu, 7 Nov 2024 17:14:47 +0100 Subject: [PATCH] [IMP] mail_quoted_reply: Sanitize HTML body before quoting As we are adding HTML from external messages into the mail composer HTML widget, we do not control what is in there and it could break the webclient or making it unresponsive depending on its content. Sanitizing the body of the quoted message might not solve all the issues, but it at least provides a hook for extra processing. --- mail_quoted_reply/models/mail_message.py | 8 ++++++-- mail_quoted_reply/readme/CONTRIBUTORS.rst | 1 + 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/mail_quoted_reply/models/mail_message.py b/mail_quoted_reply/models/mail_message.py index f9e72e0eca..6ea01e9e35 100644 --- a/mail_quoted_reply/models/mail_message.py +++ b/mail_quoted_reply/models/mail_message.py @@ -2,12 +2,16 @@ # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). from odoo import _, models -from odoo.tools import format_datetime +from odoo.tools import format_datetime, html_sanitize class MailMessage(models.Model): _inherit = "mail.message" + def _get_sanitized_body(self): + self.ensure_one() + return html_sanitize(self.body) + def _prep_quoted_reply_body(self): return """
@@ -29,7 +33,7 @@ def _prep_quoted_reply_body(self): email_from=self.email_from, date=format_datetime(self.env, self.date), subject=self.subject, - body=self.body, + body=self._get_sanitized_body(), signature=self.env.user.signature, str_date=_("Date"), str_subject=_("Subject"), diff --git a/mail_quoted_reply/readme/CONTRIBUTORS.rst b/mail_quoted_reply/readme/CONTRIBUTORS.rst index 3cbde28448..ea82f79409 100644 --- a/mail_quoted_reply/readme/CONTRIBUTORS.rst +++ b/mail_quoted_reply/readme/CONTRIBUTORS.rst @@ -3,3 +3,4 @@ * Giuseppe Borruso * Laurence Labusch * Dani Forga +* Akim Juillerat