small security focused changes

Author: ged-odoo

addons/html_builder/static/src/core/anchor/anchor_plugin.js

@@ -5,6 +5,7 @@ import { _t } from "@web/core/l10n/translation";
 import { markup } from "@odoo/owl";
 import { AnchorDialog } from "./anchor_dialog";
 import { getElementsWithOption } from "@html_builder/utils/utils";
+import { escape } from "@web/core/utils/strings";
 
 const anchorSelector = ":not(p).oe_structure > *, :not(p)[data-oe-type=html] > *";
 const anchorExclude =
@@ -91,7 +92,7 @@ export class AnchorPlugin extends Plugin {
         }
         const anchorLink = this.getAnchorLink(element);
         await browser.navigator.clipboard.writeText(anchorLink);
-        const message = markup(_t("Anchor copied to clipboard<br>Link: %s", anchorLink));
+        const message = markup(_t("Anchor copied to clipboard<br>Link: %s", escape(anchorLink)));
         const closeNotification = this.services.notification.add(message, {
             type: "success",
             buttons: [

addons/html_builder/static/src/core/building_blocks/builder_select.js

@@ -9,6 +9,7 @@ import {
 } from "../utils";
 import { BuilderComponent } from "./builder_component";
 import { useDropdownState } from "@web/core/dropdown/dropdown_hooks";
+import { setElementContent } from "@web/core/utils/html";
 
 export class WithIgnoreItem extends Component {
     static template = xml`<t t-slot="default"/>`;
@@ -52,7 +53,7 @@ export class BuilderSelect extends Component {
             if (!this.props.slots.fixedButton) {
                 const newHtml = currentLabel || _t("None");
                 if (buttonRef.el && buttonRef.el.innerHTML !== newHtml) {
-                    buttonRef.el.innerHTML = newHtml;
+                    setElementContent(buttonRef.el, newHtml);
                 }
             }
         };

addons/html_builder/static/src/core/building_blocks/builder_select_item.js

@@ -1,4 +1,4 @@
-import { Component, onMounted, useRef } from "@odoo/owl";
+import { Component, markup, onMounted, useRef } from "@odoo/owl";
 import { getActiveHotkey } from "@web/core/hotkeys/hotkey_service";
 import {
     clickableBuilderComponentProps,
@@ -32,7 +32,8 @@ export class BuilderSelectItem extends Component {
             // todo: it's not clear why the item.el?.innerHTML is not set at in
             // some cases. We fallback on a previously set value to circumvent
             // the problem, but it should be investigated.
-            label = this.props.label || item.el?.innerHTML || label || "";
+
+            label = this.props.label || (item.el ? markup(item.el.innerHTML) : "") || label || "";
             return label;
         };
 

addons/html_builder/static/src/core/save_snippet_plugin.js

@@ -2,6 +2,7 @@ import { Plugin } from "@html_editor/plugin";
 import { withSequence } from "@html_editor/utils/resource";
 import { markup } from "@odoo/owl";
 import { _t } from "@web/core/l10n/translation";
+import { escape } from "@web/core/utils/strings";
 
 const savableSelector = "[data-snippet], a.btn";
 // TODO `so_submit_button_selector` ?
@@ -42,7 +43,7 @@ export class SaveSnippetPlugin extends Plugin {
             const message = markup(
                 _t(
                     "Your custom snippet was successfully saved as <strong>%s</strong>. Find it in your snippets collection.",
-                    savedName
+                    escape(savedName)
                 )
             );
             this.services.notification.add(message, {

addons/website/static/src/client_actions/website_preview/website_builder_action.js

@@ -397,7 +397,7 @@ export class WebsiteBuilder extends Component {
         this.setIframeLoaded();
         this.websiteService.websiteRootInstance = undefined;
         if (url) {
-            this.websiteContent.el.contentWindow.location = url;
+            this.websiteContent.el.contentWindow.location = encodeURIComponent(url);
         } else {
             this.websiteContent.el.contentWindow.location.reload();
         }