Community: Framework mailing list archives
Re: Is fields.Html() supposed to work in tree views?by
initOS GmbH, Torsten Francke
Hi, On 23.09.2014 02:21, Maxim Litnitskiy wrote: > Notice: The risk is that you include html and doing this you may have > security problems because there can be any bad stuff inside. > > Hi Markus! > To minimize risk there can be an option like 'elements' where one can > enumerate possible html elements and escape all others. i just check how the behavior is in the default for fields.html and the JS just include everything come from the server. So if it is JS-Code inside the browser will execute it. Odoo filters data on input. So you can not write "