fix: sanitize POS order log messages using Markup to prevent XSS and clean up imports

models/pos_order.py

@@ -1,5 +1,6 @@
 import json
 import logging
+from markupsafe import Markup
 from odoo import api, fields, models
 
 _logger = logging.getLogger(__name__)
@@ -46,7 +47,7 @@ class PosOrder(models.Model):
                     action_str = f"Reduced quantity by {cancel.get('cancelled_qty', 0)} (from {cancel.get('qty', 0)} to {float(cancel.get('qty', 0)) - float(cancel.get('cancelled_qty', 0))})"
                 body += f"<li><strong>{cancel.get('product_name')}</strong>: {action_str} by <strong>{cancel.get('employee_name', 'Unknown')}</strong></li>"
             body += "</ul>"
-            self.message_post(body=body)
+            self.message_post(body=Markup(body))
             self.write({'x_logged_cancellations': json.dumps(logged_ids)})
 
     def action_pos_order_cancel(self):
@@ -69,7 +70,7 @@ class PosOrder(models.Model):
         res = super().action_pos_order_cancel()
 
         for order in self:
-            order.message_post(body=f"<strong>Order Cancelled</strong> by <strong>{employee_name}</strong>")
+            order.message_post(body=Markup("<strong>Order Cancelled</strong> by <strong>{}</strong>").format(employee_name))
 
             # Log any frontend-tracked line deletions/reductions that happened
             # before this cancellation. Use str(order.id) as the JS context key
@@ -88,7 +89,6 @@ class PosOrder(models.Model):
         if self.employee_id and hasattr(self.employee_id, 'pos_role') and self.employee_id.pos_role:
             role_selection = dict(self.env['hr.employee']._fields['pos_role'].selection)
             role_name = role_selection.get(self.employee_id.pos_role, "Cashier")
-            from markupsafe import Markup
             return body + Markup("<br/>") + f"{role_name} {self.employee_id.name}"
         return super()._prepare_pos_log(body)