diff --git a/report_py3o/models/py3o_report.py b/report_py3o/models/py3o_report.py
index 78db12ea..1e2866c3 100644
--- a/report_py3o/models/py3o_report.py
+++ b/report_py3o/models/py3o_report.py
@@ -7,6 +7,7 @@ from base64 import b64decode
from cStringIO import StringIO
import logging
import os
+import cgi
from contextlib import closing
import subprocess
@@ -64,8 +65,7 @@ def py3o_report_extender(report_xml_id=None):
def format_multiline_value(value):
if value:
- return Markup(value.replace('<', '<').replace('>', '>').
- replace('\n', '').
+ return Markup(cgi.escape(value).replace('\n', '').
replace('\t', ''))
return ""
diff --git a/report_py3o/tests/test_report_py3o.py b/report_py3o/tests/test_report_py3o.py
index 0d85dff7..2cf49550 100644
--- a/report_py3o/tests/test_report_py3o.py
+++ b/report_py3o/tests/test_report_py3o.py
@@ -15,8 +15,16 @@ from odoo import tools
from odoo.tests.common import TransactionCase
from odoo.exceptions import ValidationError
-from ..models.py3o_report import TemplateNotFound
+from ..models.py3o_report import TemplateNotFound, format_multiline_value
from base64 import b64encode
+import logging
+
+logger = logging.getLogger(__name__)
+
+try:
+ from genshi.core import Markup
+except ImportError:
+ logger.debug('Cannot import genshi.core')
@contextmanager
@@ -188,3 +196,7 @@ class TestReportPy3o(TransactionCase):
# non exising files are not valid template
self.assertFalse(self.py3o_report._get_template_from_path(
'/etc/test.odt'))
+
+ def test_escape_html_characters_format_multiline_value(self):
+ self.assertEqual(Markup('<>&test;'),
+ format_multiline_value('<>\n&test;'))