Community: Framework mailing list archives

expert-framework@mail.odoo.com

Re: Is fields.Html() supposed to work in tree views?

by
initOS GmbH, Torsten Francke
- 09/23/2014 03:41:57
Hi,

On 23.09.2014 02:21, Maxim Litnitskiy wrote:
>     Notice: The risk is that you include html and doing this you may have
>     security problems because there can be any bad stuff inside.
> 
> Hi Markus!
> To minimize risk there can be an  option like 'elements' where one can
> enumerate possible html elements and escape all others.

i just check how the behavior is in the default for fields.html and the
JS just include everything come from the server. So if it is JS-Code
inside the browser will execute it.
Odoo filters data on input. So you can not write "