def test_style_parsing(self):
test_data = [
(
'<span style="position: fixed; top: 0px; left: 50px; width: 40%; height: 50%; background-color: red;">Coin coin </span>',
['background-color: red', 'Coin coin'],
['position', 'top', 'left']
), (
"""<div style='before: "Email Address; coincoin cheval: lapin";
font-size: 30px; max-width: 100%; after: "Not sure
this; means: anything ?#ùµ"
; some-property: 2px; top: 3'>youplaboum</div>""",
['font-size: 30px', 'youplaboum'],
['some-property', 'top', 'cheval']
), (
'<span style="width">Coincoin</span>',
[],
['width']
)
]
for test, in_lst, out_lst in test_data:
new_html = html_sanitize(test, sanitize_attributes=False, sanitize_style=True, strip_style=False, strip_classes=False)
for text in in_lst:
self.assertIn(text, new_html)
for text in out_lst:
self.assertNotIn(text, new_html)
# style should not be sanitized if removed
new_html = html_sanitize(test_data[0][0], sanitize_attributes=False, strip_style=True, strip_classes=False)
self.assertEqual(new_html, u'<span>Coin coin </span>')
def test_misc(self):
# False / void should not crash
html = html_sanitize('')
self.assertEqual(html, '')
html = html_sanitize(False)
self.assertEqual(html, False)
# Message with xml and doctype tags don't crash
html = html_sanitize(u'<?xml version="1.0" encoding="iso-8859-1"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\n "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\n<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">\n <head>\n <title>404 - Not Found</title>\n </head>\n <body>\n <h1>404 - Not Found</h1>\n </body>\n</html>\n')
self.assertNotIn('encoding', html)
self.assertNotIn('<title>404 - Not Found</title>', html)
self.assertIn('<h1>404 - Not Found</h1>', html)
def test_quote_text(self):
html = html_sanitize(test_mail_examples.TEXT_1)
for ext in test_mail_examples.TEXT_1_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.TEXT_1_OUT:
self.assertIn(u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(ext), html)
html = html_sanitize(test_mail_examples.TEXT_2)
for ext in test_mail_examples.TEXT_2_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.TEXT_2_OUT:
self.assertIn(u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(ext), html)
def test_quote_hotmail_html(self):
html = html_sanitize(test_mail_examples.QUOTE_HOTMAIL_HTML)
for ext in test_mail_examples.QUOTE_HOTMAIL_HTML_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.QUOTE_HOTMAIL_HTML_OUT:
self.assertIn(ext, html)
html = html_sanitize(test_mail_examples.HOTMAIL_1)
for ext in test_mail_examples.HOTMAIL_1_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.HOTMAIL_1_OUT:
self.assertIn(ext, html)
def test_quote_basic_text(self):
test_data = [
(
"""This is Sparta!\n--\nAdministrator\n+9988776655""",
['This is Sparta!'],
['\n--\nAdministrator\n+9988776655']
), (
"""<p>This is Sparta!\n--\nAdministrator</p>""",
[],
['\n--\nAdministrator']
), (
"""<p>This is Sparta!<br/>--<br>Administrator</p>""",
['This is Sparta!'],
[]
), (
"""This is Sparta!\n>Ah bon ?\nCertes\n> Chouette !\nClair""",
['This is Sparta!', 'Certes', 'Clair'],
['\n>Ah bon ?', '\n> Chouette !']
)
]
for test, in_lst, out_lst in test_data:
new_html = html_sanitize(test)
for text in in_lst:
self.assertIn(text, new_html)
for text in out_lst:
self.assertIn(u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(text), new_html)
def convert_answer_to_comment(self):
""" Tools to convert an answer (forum.post) to a comment (mail.message).
The original post is unlinked and a new comment is posted on the question
using the post create_uid as the comment's author. """
self.ensure_one()
if not self.parent_id:
return self.env['mail.message']
# karma-based action check: use the post field that computed own/all value
if not self.can_comment_convert:
raise KarmaError('Not enough karma to convert an answer to a comment')
# post the message
question = self.parent_id
values = {
'author_id': self.sudo().create_uid.partner_id.id, # use sudo here because of access to res.users model
'body': tools.html_sanitize(self.content, sanitize_attributes=True, strip_style=True, strip_classes=True),
'message_type': 'comment',
'subtype': 'mail.mt_comment',
'date': self.create_date,
}
new_message = question.with_context(mail_create_nosubscribe=True).message_post(**values)
# unlink the original answer, using SUPERUSER_ID to avoid karma issues
self.sudo().unlink()
return new_message
def send_mail_test(self):
self.ensure_one()
mails = self.env['mail.mail']
mailing = self.mass_mailing_id
test_emails = tools.email_split(self.email_to)
mass_mail_layout = self.env.ref('mass_mailing.mass_mailing_mail_layout')
for test_mail in test_emails:
# Convert links in absolute URLs before the application of the shortener
mailing.write({'body_html': self.env['mail.thread']._replace_local_links(mailing.body_html)})
body = tools.html_sanitize(mailing.body_html, sanitize_attributes=True, sanitize_style=True)
mail_values = {
'email_from': mailing.email_from,
'reply_to': mailing.reply_to,
'email_to': test_mail,
'subject': mailing.name,
'body_html': mass_mail_layout.render({'body': body}, engine='ir.qweb', minimal_qcontext=True),
'notification': True,
'mailing_id': mailing.id,
'attachment_ids': [(4, attachment.id) for attachment in mailing.attachment_ids],
'auto_delete': True,
}
mail = self.env['mail.mail'].create(mail_values)
mails |= mail
mails.send()
return True
def compute_tips(self, company, user):
tip = self.env['digest.tip'].search([('user_ids', '!=', user.id), '|', ('group_id', 'in', user.groups_id.ids), ('group_id', '=', False)], limit=1)
if not tip:
return False
tip.user_ids = [4, user.id]
body = tools.html_sanitize(tip.tip_description)
tip_description = self.env['mail.template']._render_template(body, 'digest.tip', self.id)
return tip_description
def test_sanitize_unescape_emails(self):
not_emails = [
'<blockquote cite="mid:CAEJSRZvWvud8c6Qp=wfNG6O1+wK3i_jb33qVrF7XyrgPNjnyUA@mail.gmail.com" type="cite">cat</blockquote>',
'<img alt="@github-login" class="avatar" src="/web/image/pi" height="36" width="36">']
for email in not_emails:
sanitized = html_sanitize(email)
left_part = email.split('>')[0] # take only left part, as the sanitizer could add data information on node
self.assertNotIn(misc.html_escape(email), sanitized, 'html_sanitize stripped emails of original html')
self.assertIn(left_part, sanitized)
def test_sanitize_escape_emails(self):
emails = [
"Charles <*****@*****.**>",
"Dupuis <'tr/-: ${dupuis#$'@truc.baz.fr>",
"Technical <service/[email protected]>",
"Div nico <*****@*****.**>"
]
for email in emails:
self.assertIn(misc.html_escape(email), html_sanitize(email), 'html_sanitize stripped emails of original html')
def test_edi_source(self):
html = html_sanitize(test_mail_examples.EDI_LIKE_HTML_SOURCE)
self.assertIn(
'font-family: \'Lucida Grande\', Ubuntu, Arial, Verdana, sans-serif;', html,
'html_sanitize removed valid styling')
self.assertIn(
'src="https://www.paypal.com/en_US/i/btn/btn_paynowCC_LG.gif"', html,
'html_sanitize removed valid img')
self.assertNotIn('</body></html>', html, 'html_sanitize did not remove extra closing tags')
def test_evil_malicious_code(self):
# taken from https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Tests
cases = [
("<IMG SRC=javascript:alert('XSS')>"), # no quotes and semicolons
("<IMG SRC=javascript:alert('XSS')>"), # UTF-8 Unicode encoding
("<IMG SRC=javascript:alert('XSS')>"), # hex encoding
("<IMG SRC=\"jav
ascript:alert('XSS');\">"), # embedded carriage return
("<IMG SRC=\"jav
ascript:alert('XSS');\">"), # embedded newline
("<IMG SRC=\"jav ascript:alert('XSS');\">"), # embedded tab
("<IMG SRC=\"jav	ascript:alert('XSS');\">"), # embedded encoded tab
("<IMG SRC=\"  javascript:alert('XSS');\">"), # spaces and meta-characters
("<IMG SRC=\"javascript:alert('XSS')\""), # half-open html
("<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">"), # malformed tag
("<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>"), # non-alpha-non-digits
("<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>"), # non-alpha-non-digits
("<<SCRIPT>alert(\"XSS\");//<</SCRIPT>"), # extraneous open brackets
("<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >"), # non-closing script tags
("<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">"), # input image
("<BODY BACKGROUND=\"javascript:alert('XSS')\">"), # body image
("<IMG DYNSRC=\"javascript:alert('XSS')\">"), # img dynsrc
("<IMG LOWSRC=\"javascript:alert('XSS')\">"), # img lowsrc
("<TABLE BACKGROUND=\"javascript:alert('XSS')\">"), # table
("<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">"), # td
("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"), # div background
("<DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\">"), # div background with unicoded exploit
("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"), # div background + extra characters
("<IMG SRC='vbscript:msgbox(\"XSS\")'>"), # VBscrip in an image
("<BODY ONLOAD=alert('XSS')>"), # event handler
("<BR SIZE=\"&{alert('XSS')}\>"), # & javascript includes
("<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">"), # style sheet
("<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">"), # remote style sheet
("<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>"), # remote style sheet 2
("<META HTTP-EQUIV=\"Link\" Content=\"<http://ha.ckers.org/xss.css>; REL=stylesheet\">"), # remote style sheet 3
("<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>"), # remote style sheet 4
("<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">"), # style attribute using a comment to break up expression
]
for content in cases:
html = html_sanitize(content)
self.assertNotIn('javascript', html, 'html_sanitize did not remove a malicious javascript')
self.assertTrue('ha.ckers.org' not in html or 'http://ha.ckers.org/xss.css' in html, 'html_sanitize did not remove a malicious code in %s (%s)' % (content, html))
content = "<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->" # down-level hidden block
self.assertEquals(html_sanitize(content, silent=False), '')
def test_basic_sanitizer(self):
cases = [
("yop", "<p>yop</p>"), # simple
("lala<p>yop</p>xxx", "<p>lala</p><p>yop</p>xxx"), # trailing text
("Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci",
u"<p>Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci</p>"), # unicode
]
for content, expected in cases:
html = html_sanitize(content)
self.assertEqual(html, expected, 'html_sanitize is broken')
def test_evil_malicious_code(self):
# taken from https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Tests
cases = [
("<IMG SRC=javascript:alert('XSS')>"), # no quotes and semicolons
("<IMG SRC=javascript:alert('XSS')>"), # UTF-8 Unicode encoding
("<IMG SRC=javascript:alert('XSS')>"), # hex encoding
("<IMG SRC=\"jav
ascript:alert('XSS');\">"), # embedded carriage return
("<IMG SRC=\"jav
ascript:alert('XSS');\">"), # embedded newline
("<IMG SRC=\"jav ascript:alert('XSS');\">"), # embedded tab
("<IMG SRC=\"jav	ascript:alert('XSS');\">"), # embedded encoded tab
("<IMG SRC=\"  javascript:alert('XSS');\">"), # spaces and meta-characters
("<IMG SRC=\"javascript:alert('XSS')\""), # half-open html
("<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">"), # malformed tag
("<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>"), # non-alpha-non-digits
("<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>"), # non-alpha-non-digits
("<<SCRIPT>alert(\"XSS\");//<</SCRIPT>"), # extraneous open brackets
("<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >"), # non-closing script tags
("<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">"), # input image
("<BODY BACKGROUND=\"javascript:alert('XSS')\">"), # body image
("<IMG DYNSRC=\"javascript:alert('XSS')\">"), # img dynsrc
("<IMG LOWSRC=\"javascript:alert('XSS')\">"), # img lowsrc
("<TABLE BACKGROUND=\"javascript:alert('XSS')\">"), # table
("<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">"), # td
("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"), # div background
("<DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\">"), # div background with unicoded exploit
("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"), # div background + extra characters
("<IMG SRC='vbscript:msgbox(\"XSS\")'>"), # VBscrip in an image
("<BODY ONLOAD=alert('XSS')>"), # event handler
("<BR SIZE=\"&{alert('XSS')}\>"), # & javascript includes
("<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">"), # style sheet
("<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">"), # remote style sheet
("<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>"), # remote style sheet 2
("<META HTTP-EQUIV=\"Link\" Content=\"<http://ha.ckers.org/xss.css>; REL=stylesheet\">"), # remote style sheet 3
("<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>"), # remote style sheet 4
("<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">"), # style attribute using a comment to break up expression
]
for content in cases:
html = html_sanitize(content)
self.assertNotIn('javascript', html, 'html_sanitize did not remove a malicious javascript')
self.assertTrue('ha.ckers.org' not in html or 'http://ha.ckers.org/xss.css' in html, 'html_sanitize did not remove a malicious code in %s (%s)' % (content, html))
content = "<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->" # down-level hidden block
self.assertEquals(html_sanitize(content, silent=False), '')
def _compute_description_rst_html(self):
for version in self:
if version.description_rst:
try:
output = publish_string(
source=version.description_rst,
settings_overrides=self._SETTING_OVERRIDES,
writer=MyWriter())
except Exception:
output =\
"<h1 style='color:red;'>" +\
_("Incorrect RST Description") +\
"</h1>"
else:
output = html_sanitize(
"<h1 style='color:gray;'>" +
_("No Version Found") +
"</h1>")
version.description_rst_html = html_sanitize(output)
def _compute_description_rst_html(self):
for version in self:
if version.description_rst:
try:
output = publish_string(
source=version.description_rst,
settings_overrides=self._SETTING_OVERRIDES,
writer=MyWriter())
except Exception:
output =\
"<h1 style='color:red;'>" +\
_("Incorrect RST Description") +\
"</h1>"
else:
output = html_sanitize(
"<h1 style='color:gray;'>" +
_("No Version Found") +
"</h1>")
version.description_rst_html = html_sanitize(output)
def test_basic_sanitizer(self):
cases = [
("yop", "<p>yop</p>"), # simple
("lala<p>yop</p>xxx", "<p>lala</p><p>yop</p>xxx"), # trailing text
("Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci",
u"<p>Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci</p>"), # unicode
]
for content, expected in cases:
html = html_sanitize(content)
self.assertEqual(html, expected, 'html_sanitize is broken')
def test_edi_source(self):
html = html_sanitize(test_mail_examples.EDI_LIKE_HTML_SOURCE)
self.assertIn(
'font-family: \'Lucida Grande\', Ubuntu, Arial, Verdana, sans-serif;',
html, 'html_sanitize removed valid styling')
self.assertIn(
'src="https://www.paypal.com/en_US/i/btn/btn_paynowCC_LG.gif"',
html, 'html_sanitize removed valid img')
self.assertNotIn('</body></html>', html,
'html_sanitize did not remove extra closing tags')
def test_sanitize_escape_emails(self):
emails = [
"Charles <*****@*****.**>",
"Dupuis <'tr/-: ${dupuis#$'@truc.baz.fr>",
"Technical <service/[email protected]>",
"Div nico <*****@*****.**>"
]
for email in emails:
self.assertIn(misc.html_escape(email), html_sanitize(email),
'html_sanitize stripped emails of original html')
def test_quote_signature(self):
test_data = [
(
"""<div>Hello<pre>--<br />Administrator</pre></div>""",
["<pre data-o-mail-quote=\"1\">--", "<br data-o-mail-quote=\"1\">"],
)
]
for test, in_lst in test_data:
new_html = html_sanitize(test)
for text in in_lst:
self.assertIn(text, new_html)
def compute_tips(self, company, user, tips_count=1):
tips = self.env['digest.tip'].search([
('user_ids', '!=', user.id),
'|', ('group_id', 'in', user.groups_id.ids), ('group_id', '=', False)
], limit=tips_count)
tip_descriptions = [
self.env['mail.render.mixin']._render_template(tools.html_sanitize(tip.tip_description), 'digest.tip', tip.ids, post_process=True)[tip.id]
for tip in tips
]
tips.user_ids += user
return tip_descriptions
def _action_send_statistics(self):
"""Send an email to the responsible of each finished mailing with the statistics."""
self.kpi_mail_required = False
for mailing in self:
user = mailing.user_id
mailing = mailing.with_context(
lang=user.lang or self._context.get('lang'))
mailing_type = mailing._get_pretty_mailing_type()
link_trackers = self.env['link.tracker'].search([
('mass_mailing_id', '=', mailing.id)
]).sorted('count', reverse=True)
link_trackers_body = self.env['ir.qweb']._render(
'mass_mailing.mass_mailing_kpi_link_trackers',
{
'object': mailing,
'link_trackers': link_trackers,
'mailing_type': mailing_type,
},
)
rendered_body = self.env['ir.qweb']._render(
'digest.digest_mail_main',
{
'body': tools.html_sanitize(link_trackers_body),
'company': user.company_id,
'user': user,
'display_mobile_banner': True,
**mailing._prepare_statistics_email_values()
},
)
full_mail = self.env['mail.render.mixin']._render_encapsulate(
'digest.digest_mail_layout',
rendered_body,
)
mail_values = {
'subject':
_('24H Stats of %(mailing_type)s "%(mailing_name)s"',
mailing_type=mailing._get_pretty_mailing_type(),
mailing_name=mailing.subject),
'email_from':
user.email_formatted,
'email_to':
user.email_formatted,
'body_html':
full_mail,
'auto_delete':
True,
}
mail = self.env['mail.mail'].sudo().create(mail_values)
mail.send(raise_exception=False)
def rst2html(content):
overrides = {
'embed_stylesheet': False,
'doctitle_xform': False,
'output_encoding': 'unicode',
'xml_declaration': False,
}
output = publish_string(content,
settings_overrides=overrides,
writer=ReStructuredTextWriter())
return tools.html_sanitize(output)
def test_quote_signature(self):
test_data = [
(
"""<div>Hello<pre>--<br />Administrator</pre></div>""",
["<pre data-o-mail-quote=\"1\">--", "<br data-o-mail-quote=\"1\">"],
)
]
for test, in_lst in test_data:
new_html = html_sanitize(test)
for text in in_lst:
self.assertIn(text, new_html)
def _get_desc(self):
for module in self:
path = modules.get_module_resource(module.name, 'static/description/index.html')
if path:
with tools.file_open(path, 'rb') as desc_file:
doc = desc_file.read()
html = lxml.html.document_fromstring(doc)
for element, attribute, link, pos in html.iterlinks():
if element.get('src') and not '//' in element.get('src') and not 'static/' in element.get('src'):
element.set('src', "/%s/static/description/%s" % (module.name, element.get('src')))
module.description_html = tools.html_sanitize(lxml.html.tostring(html))
else:
overrides = {
'embed_stylesheet': False,
'doctitle_xform': False,
'output_encoding': 'unicode',
'xml_declaration': False,
}
output = publish_string(source=module.description or '', settings_overrides=overrides, writer=MyWriter())
module.description_html = tools.html_sanitize(output)
def message_body(self, msg, strip_style=True):
"""Return body message prepared for email content.
Message's body can contains styles and other stuff
that can screw the look and feel of digests' mails.
Here we sanitize it if `sanitize_msg_body` is set on the digest.
"""
if not self.sanitize_msg_body:
return msg.body
return tools.html_sanitize(msg.body or '', strip_style=strip_style)
def _get_desc(self):
for module in self:
path = modules.get_module_resource(module.name, 'static/description/index.html')
if path:
with tools.file_open(path, 'rb') as desc_file:
doc = desc_file.read()
html = lxml.html.document_fromstring(doc)
for element, attribute, link, pos in html.iterlinks():
if element.get('src') and not '//' in element.get('src') and not 'static/' in element.get('src'):
element.set('src', "/%s/static/description/%s" % (module.name, element.get('src')))
module.description_html = tools.html_sanitize(lxml.html.tostring(html))
else:
overrides = {
'embed_stylesheet': False,
'doctitle_xform': False,
'output_encoding': 'unicode',
'xml_declaration': False,
}
output = publish_string(source=module.description or '', settings_overrides=overrides, writer=MyWriter())
module.description_html = tools.html_sanitize(output)
def generate_sms(self, res_ids, fields=None):
self.ensure_one()
multi_mode = True
if isinstance(res_ids, pycompat.integer_types):
res_ids = [res_ids]
multi_mode = False
if fields is None:
fields = ['body_html']
res_ids_to_templates = self.get_email_template(res_ids)
# templates: res_id -> template; template -> res_ids
templates_to_res_ids = {}
for res_id, template in res_ids_to_templates.items():
templates_to_res_ids.setdefault(template, []).append(res_id)
results = dict()
for template, template_res_ids in templates_to_res_ids.items():
Template = self.env['sms.template']
# generate fields value for all res_ids linked to the current template
if template.lang:
Template = Template.with_context(
lang=template._context.get('lang')
)
for field in fields:
Template = Template.with_context(safe=field in {'subject'})
generated_field_values = Template._render_template(
getattr(template, field), template.model, template_res_ids,
post_process=(field == 'body_html'))
for res_id, field_value in generated_field_values.items():
results.setdefault(res_id, dict())[field] = field_value
# update values for all res_ids
for res_id in template_res_ids:
values = results[res_id]
# body: add user signature, sanitize
if 'body_html' in fields and template.user_signature:
signature = self.env.user.signature
if signature:
values['body_html'] = tools.append_content_to_html(
values['body_html'],
signature,
plaintext=False
)
if values.get('body_html'):
values['message'] = tools.html_sanitize(
values['body_html']
)
# technical settings
values.update(
model=template.model,
res_id=res_id or False,
)
return multi_mode and results or results[res_ids[0]]
def test_style_class_only(self):
html = html_sanitize(test_mail_examples.REMOVE_CLASS,
sanitize_attributes=False,
sanitize_style=True,
strip_classes=True)
for ext in test_mail_examples.REMOVE_CLASS_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.REMOVE_CLASS_OUT:
self.assertNotIn(
ext,
html,
)
def test_html(self):
sanitized_html = html_sanitize(test_mail_examples.MISC_HTML_SOURCE)
for tag in [
'<div', '<b', '<i', '<u', '<strike', '<li', '<blockquote',
'<a href'
]:
self.assertIn(tag, sanitized_html,
'html_sanitize stripped too much of original html')
for attr in ['javascript']:
self.assertNotIn(
attr, sanitized_html,
'html_sanitize did not remove enough unwanted attributes')
def compute_tips(self, company, user):
tip = self.env['digest.tip'].search(
[('user_ids', '!=', user.id), '|',
('group_id', 'in', user.groups_id.ids), ('group_id', '=', False)],
limit=1)
if not tip:
return False
tip.user_ids += user
body = tools.html_sanitize(tip.tip_description)
tip_description = self.env['mail.template']._render_template(
body, 'digest.tip', self.id)
return tip_description
def _get_desc(self):
for module in self:
if module.name and module.description:
path = modules.get_module_resource(
module.name, "static/description/index.html"
)
if path:
with tools.file_open(path, "rb") as desc_file:
doc = desc_file.read()
html = lxml.html.document_fromstring(doc)
for element, attribute, link, pos in html.iterlinks():
if (
element.get("src")
and "//" not in element.get("src")
and "static/" not in element.get("src")
):
element.set(
"src",
"/%s/static/description/%s"
% (module.name, element.get("src")),
)
module.description_html = tools.html_sanitize(
lxml.html.tostring(html)
)
else:
overrides = {
"embed_stylesheet": False,
"doctitle_xform": False,
"output_encoding": "unicode",
"xml_declaration": False,
"file_insertion_enabled": False,
}
output = publish_string(
source=module.description
if not module.application and module.description
else "",
settings_overrides=overrides,
writer=MyWriter(),
)
module.description_html = tools.html_sanitize(output)
def generate_document(self, res_ids, fields=None):
"""Generates an email from the template for given the given model based on
records given by res_ids.
:param template_id: id of the template to render.
:param res_id: id of the record to use for rendering the template (model
is taken from template definition)
:returns: a dict containing all relevant fields for creating a new
mail.mail entry, with one extra key ``attachments``, in the
format [(report_name, data)] where data is base64 encoded.
"""
self.ensure_one()
multi_mode = True
if isinstance(res_ids, (int, long)):
res_ids = [res_ids]
multi_mode = False
if fields is None:
fields = ['body_html']
res_ids_to_templates = self.get_template(res_ids)
# templates: res_id -> template; template -> res_ids
templates_to_res_ids = {}
for res_id, template in res_ids_to_templates.iteritems():
templates_to_res_ids.setdefault(template, []).append(res_id)
results = dict()
for template, template_res_ids in templates_to_res_ids.iteritems():
Template = self.env['hr.document']
# generate fields value for all res_ids linked to the current template
if template.lang:
Template = Template.with_context(
lang=template._context.get('lang'))
for field in fields:
Template = Template.with_context(safe=field in {'subject'})
generated_field_values = Template.render_template(
getattr(template, field),
template.model,
template_res_ids,
post_process=(field == 'body_html'))
for res_id, field_value in generated_field_values.iteritems():
results.setdefault(res_id, dict())[field] = field_value
# compute recipients
if any(field in fields
for field in ['email_to', 'partner_to', 'email_cc']):
results = template.generate_recipients(results,
template_res_ids)
# update values for all res_ids
for res_id in template_res_ids:
values = results[res_id]
if values.get('body_html'):
values['body'] = tools.html_sanitize(values['body_html'])
return multi_mode and results or results[res_ids[0]]
def default_get(self, fields_list):
res = super(SendMailDocument, self).default_get(fields_list)
context = self._context
if not context.get('install_mode'):
res['recipients'] = context['recipients']
template_id = self.browse(context.get('default_template_id'))
res['body'] = tools.html_sanitize(template_id.body)
res['name'] = template_id.name
res['subject'] = template_id.subject
res['email_cc'] = ''
partner_id = self.env['res.users'].browse(self._uid).partner_id
res['sender'] = '%s <%s>' % (partner_id.name, partner_id.email)
return res
def test_sanitize_unescape_emails(self):
not_emails = [
'<blockquote cite="mid:CAEJSRZvWvud8c6Qp=wfNG6O1+wK3i_jb33qVrF7XyrgPNjnyUA@mail.gmail.com" type="cite">cat</blockquote>',
'<img alt="@github-login" class="avatar" src="/web/image/pi" height="36" width="36">'
]
for email in not_emails:
sanitized = html_sanitize(email)
left_part = email.split(
'>'
)[0] # take only left part, as the sanitizer could add data information on node
self.assertNotIn(misc.html_escape(email), sanitized,
'html_sanitize stripped emails of original html')
self.assertIn(left_part, sanitized)
def convert_to_cache(self, value, record, validate=True):
if value is None or value is False:
return False
if validate and self.sanitize:
value = html_sanitize(value,
silent=True,
sanitize_tags=self.sanitize_tags,
sanitize_attributes=self.sanitize_attributes,
sanitize_style=self.sanitize_style,
strip_style=self.strip_style,
strip_classes=self.strip_classes)
if value == '<p><br></p>' or value == '<p></p>':
return None
return value
def _compute_description(self):
module_version_obj = self.env["odoo.module.version"]
for module in self:
version_ids = module.module_version_ids.ids
last_version = module_version_obj.search(
[("id", "in", version_ids)], order="organization_serie_id desc", limit=1
)
if last_version:
module.description_rst = last_version.description_rst
module.description_rst_html = last_version.description_rst_html
else:
module.description_rst = ""
module.description_rst_html = html_sanitize(
"<h1 style='color:gray;'>" + _("No Version Found") + "</h1>"
)
def mixin_render_template(self, template_xml_id=None, params=None):
# Permite compilar una plantilla qweb y obtener el codigo html
# :param template_xml_id:
# :param params:
# :param links:
# :return:
if params is None:
params = {}
body = ''
if template_xml_id:
ActionReport = self.env['ir.actions.report']
body = ActionReport.render_template(template_xml_id, values=params)
body = body.decode('utf-8')
# Ensure the current document is utf-8 encoded.
body = tools.html_sanitize(body)
return body
def _compute_description(self):
module_version_obj = self.env['odoo.module.version']
for module in self:
version_ids = module.module_version_ids.ids
last_version = module_version_obj.search(
[('id', 'in', version_ids)],
order='organization_serie_id desc', limit=1)
if last_version:
module.description_rst = last_version.description_rst
module.description_rst_html = last_version.description_rst_html
else:
module.description_rst = ''
module.description_rst_html = html_sanitize(
"<h1 style='color:gray;'>" +
_("No Version Found") +
"</h1>")
def test_mako(self):
cases = [('''<p>Some text</p>
<% set signup_url = object.get_signup_url() %>
% if signup_url:
<p>
You can access this document and pay online via our Customer Portal:
</p>''', '''<p>Some text</p>
<% set signup_url = object.get_signup_url() %>
% if signup_url:
<p>
You can access this document and pay online via our Customer Portal:
</p>''')]
for content, expected in cases:
html = html_sanitize(content, silent=False)
self.assertEqual(html, expected,
'html_sanitize: broken mako management')
def send_mail_test(self):
self.ensure_one()
ctx = dict(self.env.context)
ctx.pop('default_state', None)
self = self.with_context(ctx)
mails_sudo = self.env['mail.mail'].sudo()
mailing = self.mass_mailing_id
test_emails = tools.email_split(self.email_to)
mass_mail_layout = self.env.ref(
'mass_mailing.mass_mailing_mail_layout')
for test_mail in test_emails:
# Convert links in absolute URLs before the application of the shortener
body = self.env['mail.render.mixin']._replace_local_links(
mailing.body_html)
body = tools.html_sanitize(body,
sanitize_attributes=True,
sanitize_style=True)
mail_values = {
'email_from':
mailing.email_from,
'reply_to':
mailing.reply_to,
'email_to':
test_mail,
'subject':
mailing.subject,
'body_html':
mass_mail_layout._render({'body': body},
engine='ir.qweb',
minimal_qcontext=True),
'notification':
True,
'mailing_id':
mailing.id,
'attachment_ids':
[(4, attachment.id) for attachment in mailing.attachment_ids],
'auto_delete':
True,
'mail_server_id':
mailing.mail_server_id.id,
}
mail = self.env['mail.mail'].sudo().create(mail_values)
mails_sudo |= mail
mails_sudo.send()
return True
def message_update(self, msg_dict, update_vals=None):
""" Override to update the support ticket according to the email. """
body_short = tools.html_sanitize(msg_dict['body'])
#If the to email address is to the customer then it must be a staff member
if msg_dict.get('to') == self.email:
change_state = self.env['ir.model.data'].get_object('website_support','website_ticket_state_staff_replied')
else:
change_state = self.env['ir.model.data'].get_object('website_support','website_ticket_state_customer_replied')
self.state_id = change_state.id
#Add to message history to keep HTML clean
self.conversation_history_ids.create({'ticket_id': self.id, 'by': 'customer', 'content': body_short })
return super(WebsiteSupportTicket, self).message_update(msg_dict, update_vals=update_vals)
def test_mako(self):
cases = [
('''<p>Some text</p>
<% set signup_url = object.get_signup_url() %>
% if signup_url:
<p>
You can access this document and pay online via our Customer Portal:
</p>''', '''<p>Some text</p>
<% set signup_url = object.get_signup_url() %>
% if signup_url:
<p>
You can access this document and pay online via our Customer Portal:
</p>''')
]
for content, expected in cases:
html = html_sanitize(content, silent=False)
self.assertEqual(html, expected, 'html_sanitize: broken mako management')
def _odoo_values(self, google_event, default_reminders=()):
if google_event.is_cancelled():
return {'active': False}
alarm_commands = self._odoo_reminders_commands(google_event.reminders.get('overrides') or default_reminders)
attendee_commands, partner_commands = self._odoo_attendee_commands(google_event)
related_event = self.search([('google_id', '=', google_event.id)], limit=1)
name = google_event.summary or related_event and related_event.name or _("(No title)")
values = {
'name': name,
'description': google_event.description and tools.html_sanitize(google_event.description),
'location': google_event.location,
'user_id': google_event.owner(self.env).id,
'privacy': google_event.visibility or self.default_get(['privacy'])['privacy'],
'attendee_ids': attendee_commands,
'alarm_ids': alarm_commands,
'recurrency': google_event.is_recurrent()
}
if partner_commands:
# Add partner_commands only if set from Google. The write method on calendar_events will
# override attendee commands if the partner_ids command is set but empty.
values['partner_ids'] = partner_commands
if not google_event.is_recurrence():
values['google_id'] = google_event.id
if google_event.is_recurrent() and not google_event.is_recurrence():
# Propagate the follow_recurrence according to the google result
values['follow_recurrence'] = google_event.is_recurrence_follower()
if google_event.start.get('dateTime'):
# starting from python3.7, use the new [datetime, date].fromisoformat method
start = parse(google_event.start.get('dateTime')).astimezone(pytz.utc).replace(tzinfo=None)
stop = parse(google_event.end.get('dateTime')).astimezone(pytz.utc).replace(tzinfo=None)
values['allday'] = False
else:
start = parse(google_event.start.get('date'))
stop = parse(google_event.end.get('date')) - relativedelta(days=1)
# Stop date should be exclusive as defined here https://developers.google.com/calendar/v3/reference/events#resource
# but it seems that's not always the case for old event
if stop < start:
stop = parse(google_event.end.get('date'))
values['allday'] = True
values['start'] = start
values['stop'] = stop
return values
def generate_email(self, res_ids, fields=None):
multi_mode = True
if isinstance(res_ids, (int, long)):
res_ids = [res_ids]
multi_mode = False
result = super(MailTemplate, self).generate_email(res_ids,
fields=fields)
for record_id, this in self.get_email_template(res_ids).iteritems():
if this.body_type == 'qweb' and\
(not fields or 'body_html' in fields):
for record in self.env[this.model].browse(record_id):
result[record_id]['body_html'] = self.render_post_process(
this.body_view_id.render({
'object': record,
'email_template': this,
}))
result[record_id]['body'] = tools.html_sanitize(
result[record_id]['body_html'])
return multi_mode and result or result[res_ids[0]]
def generate_sms(self, res_ids, fields=None):
self.ensure_one()
multi_mode = True
if isinstance(res_ids, (int, long)):
res_ids = [res_ids]
multi_mode = False
if fields is None:
fields = ['message']
res_ids_to_templates = self.get_sms_template(res_ids)
# templates: res_id -> template; template -> res_ids
templates_to_res_ids = {}
for res_id, template in res_ids_to_templates.iteritems():
templates_to_res_ids.setdefault(template, []).append(res_id)
results = dict()
for template, template_res_ids in templates_to_res_ids.iteritems():
Template = self.env['sms.template']
# generate fields value for all res_ids linked to the current template
if template.lang:
Template = Template.with_context(
lang=template._context.get('lang'))
for field in fields:
Template = Template.with_context(safe=field in {'sender'})
generated_field_values = Template.render_template(
getattr(template, field),
template.model_id,
template_res_ids,
post_process=(field == 'message'))
for res_id, field_value in generated_field_values.iteritems():
results.setdefault(res_id, dict())[field] = field_value
# update values for all res_ids
for res_id in template_res_ids:
values = results[res_id]
if values.get('message'):
values['message'] = tools.html_sanitize(values['message'])
# technical settings
values.update(model_id=template.model_id,
res_id=res_id or False)
return multi_mode and results or results[res_ids[0]]
def send_mail_test(self):
self.ensure_one()
mails = self.env['mail.mail']
mailing = self.mass_mailing_id
test_emails = tools.email_split(self.email_to)
mass_mail_layout = self.env.ref(
'mass_mailing.mass_mailing_mail_layout')
for test_mail in test_emails:
# Convert links in absolute URLs before the application of the shortener
mailing.write({
'body_html':
self.env['mail.thread']._replace_local_links(mailing.body_html)
})
body = tools.html_sanitize(mailing.body_html,
sanitize_attributes=True,
sanitize_style=True)
mail_values = {
'email_from':
mailing.email_from,
'reply_to':
mailing.reply_to,
'email_to':
test_mail,
'subject':
mailing.name,
'body_html':
mass_mail_layout.render({'body': body},
engine='ir.qweb',
minimal_qcontext=True),
'notification':
True,
'mailing_id':
mailing.id,
'attachment_ids':
[(4, attachment.id) for attachment in mailing.attachment_ids],
'auto_delete':
True,
}
mail = self.env['mail.mail'].create(mail_values)
mails |= mail
mails.send()
return True
def test_quote_basic_text(self):
test_data = [
("""This is Sparta!\n--\nAdministrator\n+9988776655""",
['This is Sparta!'], ['\n--\nAdministrator\n+9988776655']),
("""<p>This is Sparta!\n--\nAdministrator</p>""", [],
['\n--\nAdministrator']),
("""<p>This is Sparta!<br/>--<br>Administrator</p>""",
['This is Sparta!'], []),
("""This is Sparta!\n>Ah bon ?\nCertes\n> Chouette !\nClair""",
['This is Sparta!', 'Certes',
'Clair'], ['\n>Ah bon ?', '\n> Chouette !'])
]
for test, in_lst, out_lst in test_data:
new_html = html_sanitize(test)
for text in in_lst:
self.assertIn(text, new_html)
for text in out_lst:
self.assertIn(
u'<span data-o-mail-quote="1">%s</span>' %
misc.html_escape(text), new_html)
def test_quote_blockquote(self):
html = html_sanitize(test_mail_examples.QUOTE_BLOCKQUOTE)
for ext in test_mail_examples.QUOTE_BLOCKQUOTE_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.QUOTE_BLOCKQUOTE_OUT:
self.assertIn(u'<span data-o-mail-quote="1">%s' % misc.html_escape(ext), html)
def test_style_class_only(self):
html = html_sanitize(test_mail_examples.REMOVE_CLASS, sanitize_attributes=False, sanitize_style=True, strip_classes=True)
for ext in test_mail_examples.REMOVE_CLASS_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.REMOVE_CLASS_OUT:
self.assertNotIn(ext, html,)
def generate_email(self, res_ids, fields=None):
"""Generates an email from the template for given the given model based on
records given by res_ids.
:param res_id: id of the record to use for rendering the template (model
is taken from template definition)
:returns: a dict containing all relevant fields for creating a new
mail.mail entry, with one extra key ``attachments``, in the
format [(report_name, data)] where data is base64 encoded.
"""
self.ensure_one()
multi_mode = True
if isinstance(res_ids, pycompat.integer_types):
res_ids = [res_ids]
multi_mode = False
if fields is None:
fields = ['subject', 'body_html', 'email_from', 'email_to', 'partner_to', 'email_cc', 'reply_to', 'scheduled_date']
res_ids_to_templates = self.get_email_template(res_ids)
# templates: res_id -> template; template -> res_ids
templates_to_res_ids = {}
for res_id, template in res_ids_to_templates.items():
templates_to_res_ids.setdefault(template, []).append(res_id)
results = dict()
for template, template_res_ids in templates_to_res_ids.items():
Template = self.env['mail.template']
# generate fields value for all res_ids linked to the current template
if template.lang:
Template = Template.with_context(lang=template._context.get('lang'))
for field in fields:
Template = Template.with_context(safe=field in {'subject'})
generated_field_values = Template.render_template(
getattr(template, field), template.model, template_res_ids,
post_process=(field == 'body_html'))
for res_id, field_value in generated_field_values.items():
results.setdefault(res_id, dict())[field] = field_value
# compute recipients
if any(field in fields for field in ['email_to', 'partner_to', 'email_cc']):
results = template.generate_recipients(results, template_res_ids)
# update values for all res_ids
for res_id in template_res_ids:
values = results[res_id]
# body: add user signature, sanitize
if 'body_html' in fields and template.user_signature:
signature = self.env.user.signature
if signature:
values['body_html'] = tools.append_content_to_html(values['body_html'], signature, plaintext=False)
if values.get('body_html'):
values['body'] = tools.html_sanitize(values['body_html'])
# technical settings
values.update(
mail_server_id=template.mail_server_id.id or False,
auto_delete=template.auto_delete,
model=template.model,
res_id=res_id or False,
attachment_ids=[attach.id for attach in template.attachment_ids],
)
# Add report in attachments: generate once for all template_res_ids
if template.report_template:
for res_id in template_res_ids:
attachments = []
report_name = self.render_template(template.report_name, template.model, res_id)
report = template.report_template
report_service = report.report_name
if report.report_type not in ['qweb-html', 'qweb-pdf']:
raise UserError(_('Unsupported report type %s found.') % report.report_type)
result, format = report.render_qweb_pdf([res_id])
# TODO in trunk, change return format to binary to match message_post expected format
result = base64.b64encode(result)
if not report_name:
report_name = 'report.' + report_service
ext = "." + format
if not report_name.endswith(ext):
report_name += ext
attachments.append((report_name, result))
results[res_id]['attachments'] = attachments
return multi_mode and results or results[res_ids[0]]
def generate_email(self, res_ids, fields=None):
"""Generates an email from the template for given the given model based on
records given by res_ids.
:param template_id: id of the template to render.
:param res_id: id of the record to use for rendering the template (model
is taken from template definition)
:returns: a dict containing all relevant fields for creating a new
mail.mail entry, with one extra key ``attachments``, in the
format [(report_name, data)] where data is base64 encoded.
"""
self.ensure_one()
multi_mode = True
if isinstance(res_ids, (int, long)):
res_ids = [res_ids]
multi_mode = False
if fields is None:
fields = [
"subject",
"body_html",
"email_from",
"email_to",
"partner_to",
"email_cc",
"reply_to",
"scheduled_date",
]
res_ids_to_templates = self.get_email_template(res_ids)
# templates: res_id -> template; template -> res_ids
templates_to_res_ids = {}
for res_id, template in res_ids_to_templates.iteritems():
templates_to_res_ids.setdefault(template, []).append(res_id)
results = dict()
for template, template_res_ids in templates_to_res_ids.iteritems():
Template = self.env["mail.template"]
# generate fields value for all res_ids linked to the current template
if template.lang:
Template = Template.with_context(lang=template._context.get("lang"))
for field in fields:
Template = Template.with_context(safe=field in {"subject"})
generated_field_values = Template.render_template(
getattr(template, field), template.model, template_res_ids, post_process=(field == "body_html")
)
for res_id, field_value in generated_field_values.iteritems():
results.setdefault(res_id, dict())[field] = field_value
# compute recipients
if any(field in fields for field in ["email_to", "partner_to", "email_cc"]):
results = template.generate_recipients(results, template_res_ids)
# update values for all res_ids
for res_id in template_res_ids:
values = results[res_id]
# body: add user signature, sanitize
if "body_html" in fields and template.user_signature:
signature = self.env.user.signature
if signature:
values["body_html"] = tools.append_content_to_html(
values["body_html"], signature, plaintext=False
)
if values.get("body_html"):
values["body"] = tools.html_sanitize(values["body_html"])
# technical settings
values.update(
mail_server_id=template.mail_server_id.id or False,
auto_delete=template.auto_delete,
model=template.model,
res_id=res_id or False,
attachment_ids=[attach.id for attach in template.attachment_ids],
)
# Add report in attachments: generate once for all template_res_ids
if template.report_template and not "report_template_in_attachment" in self.env.context:
for res_id in template_res_ids:
attachments = []
report_name = self.render_template(template.report_name, template.model, res_id)
report = template.report_template
report_service = report.report_name
if report.report_type in ["qweb-html", "qweb-pdf"]:
result, format = Template.env["report"].get_pdf([res_id], report_service), "pdf"
else:
result, format = odoo_report.render_report(
self._cr, self._uid, [res_id], report_service, {"model": template.model}, Template._context
)
# TODO in trunk, change return format to binary to match message_post expected format
result = base64.b64encode(result)
if not report_name:
report_name = "report." + report_service
ext = "." + format
if not report_name.endswith(ext):
report_name += ext
attachments.append((report_name, result))
results[res_id]["attachments"] = attachments
return multi_mode and results or results[res_ids[0]]
def test_quote_thunderbird_html(self):
html = html_sanitize(test_mail_examples.QUOTE_THUNDERBIRD_HTML)
for ext in test_mail_examples.QUOTE_THUNDERBIRD_HTML_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.QUOTE_THUNDERBIRD_HTML_OUT:
self.assertIn(ext, html)
def test_quote_thunderbird(self):
html = html_sanitize(test_mail_examples.QUOTE_THUNDERBIRD_1)
for ext in test_mail_examples.QUOTE_THUNDERBIRD_1_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.QUOTE_THUNDERBIRD_1_OUT:
self.assertIn(u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(ext), html)
def test_quote_blockquote(self):
html = html_sanitize(test_mail_examples.QUOTE_BLOCKQUOTE)
for ext in test_mail_examples.QUOTE_BLOCKQUOTE_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.QUOTE_BLOCKQUOTE_OUT:
self.assertIn('<span data-o-mail-quote="1">%s' % cgi.escape(ext.decode('utf-8')), html)
def test_html(self):
sanitized_html = html_sanitize(test_mail_examples.MISC_HTML_SOURCE)
for tag in ['<div', '<b', '<i', '<u', '<strike', '<li', '<blockquote', '<a href']:
self.assertIn(tag, sanitized_html, 'html_sanitize stripped too much of original html')
for attr in ['javascript']:
self.assertNotIn(attr, sanitized_html, 'html_sanitize did not remove enough unwanted attributes')
def test_quote_gmail(self):
html = html_sanitize(test_mail_examples.GMAIL_1)
for ext in test_mail_examples.GMAIL_1_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.GMAIL_1_OUT:
self.assertIn('<span data-o-mail-quote="1">%s</span>' % cgi.escape(ext), html)
def test_quote_bugs(self):
html = html_sanitize(test_mail_examples.BUG1)
for ext in test_mail_examples.BUG_1_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.BUG_1_OUT:
self.assertIn('<span data-o-mail-quote="1">%s</span>' % cgi.escape(ext.decode('utf-8')), html)
def test_cid_with_at(self):
img_tag = '<img src="@">'
sanitized = html_sanitize(img_tag, sanitize_tags=False, strip_classes=True)
self.assertEqual(img_tag, sanitized, "img with can have cid containing @ and shouldn't be escaped")