fix(cr): escape user values in review HTML and simplify onchange

emjay0921 · emjay0921 · commit 9d94eeff5091 · 2026-03-13T12:13:20.000+08:00
- Add html_escape to _format_review_value to prevent XSS in review page
- Deduplicate field clearing in _onchange_operation
diff --git a/spp_change_request_v2/details/update_id.py b/spp_change_request_v2/details/update_id.py
@@ -150,15 +150,12 @@ def _onchange_operation(self):
         # Unlock operation when changed (user came back to edit)
         self.is_operation_locked = False
 
+        # Clear fields common to all operations
+        self.id_type_id = False
+        self.id_value = False
+        self.expiry_date = False
         if self.operation == "add":
             self.existing_id_record_id = False
-            self.id_type_id = False
-            self.id_value = False
-            self.expiry_date = False
-        elif self.operation in ("update", "remove"):
-            self.id_type_id = False
-            self.id_value = False
-            self.expiry_date = False
 
         if warning:
             return {"warning": warning}
diff --git a/spp_change_request_v2/models/change_request.py b/spp_change_request_v2/models/change_request.py
@@ -1,5 +1,7 @@
 import logging
 
+from markupsafe import escape as html_escape
+
 from odoo import _, api, fields, models
 from odoo.exceptions import UserError, ValidationError
 
@@ -1241,9 +1243,9 @@ def _format_review_value(self, value):
             return '<span class="badge text-bg-success">Yes</span>'
         if isinstance(value, list):
             if value:
-                return "<br/>".join(str(v) for v in value)
+                return "<br/>".join(html_escape(str(v)) for v in value)
             return '<span class="text-muted">—</span>'
-        return str(value)
+        return html_escape(str(value))
 
     def _capture_preview_snapshot(self):
         """Capture and store the preview HTML and JSON before applying changes."""
