def test_style_parsing(self): test_data = [ ('<span style="position: fixed; top: 0px; left: 50px; width: 40%; height: 50%; background-color: red;">Coin coin </span>', ['background-color:red', 'Coin coin'], ['position', 'top', 'left']), ("""<div style='before: "Email Address; coincoin cheval: lapin"; font-size: 30px; max-width: 100%; after: "Not sure this; means: anything ?#ùµ" ; some-property: 2px; top: 3'>youplaboum</div>""", ['font-size:30px', 'youplaboum'], ['some-property', 'top', 'cheval']), ('<span style="width">Coincoin</span>', [], ['width']) ] for test, in_lst, out_lst in test_data: new_html = html_sanitize(test, sanitize_attributes=False, sanitize_style=True, strip_style=False, strip_classes=False) for text in in_lst: self.assertIn(text, new_html) for text in out_lst: self.assertNotIn(text, new_html) # style should not be sanitized if removed new_html = html_sanitize(test_data[0][0], sanitize_attributes=False, strip_style=True, strip_classes=False) self.assertEqual(new_html, u'<span>Coin coin </span>')
def test_quote_hotmail_html(self): html = html_sanitize(test_mail_examples.QUOTE_HOTMAIL_HTML) for ext in test_mail_examples.QUOTE_HOTMAIL_HTML_IN: self.assertIn(ext, html) for ext in test_mail_examples.QUOTE_HOTMAIL_HTML_OUT: self.assertIn(ext, html) html = html_sanitize(test_mail_examples.HOTMAIL_1) for ext in test_mail_examples.HOTMAIL_1_IN: self.assertIn(ext, html) for ext in test_mail_examples.HOTMAIL_1_OUT: self.assertIn(ext, html)
def test_misc(self): # False / void should not crash html = html_sanitize('') self.assertEqual(html, '') html = html_sanitize(False) self.assertEqual(html, False) # Message with xml and doctype tags don't crash html = html_sanitize( u'<?xml version="1.0" encoding="iso-8859-1"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\n "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\n<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">\n <head>\n <title>404 - Not Found</title>\n </head>\n <body>\n <h1>404 - Not Found</h1>\n </body>\n</html>\n' ) self.assertNotIn('encoding', html) self.assertNotIn('<title>404 - Not Found</title>', html) self.assertIn('<h1>404 - Not Found</h1>', html)
def test_quote_text(self): html = html_sanitize(test_mail_examples.TEXT_1) for ext in test_mail_examples.TEXT_1_IN: self.assertIn(ext, html) for ext in test_mail_examples.TEXT_1_OUT: self.assertIn( u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(ext), html) html = html_sanitize(test_mail_examples.TEXT_2) for ext in test_mail_examples.TEXT_2_IN: self.assertIn(ext, html) for ext in test_mail_examples.TEXT_2_OUT: self.assertIn( u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(ext), html)
def test_quote_blockquote(self): html = html_sanitize(test_mail_examples.QUOTE_BLOCKQUOTE) for ext in test_mail_examples.QUOTE_BLOCKQUOTE_IN: self.assertIn(ext, html) for ext in test_mail_examples.QUOTE_BLOCKQUOTE_OUT: self.assertIn( u'<span data-o-mail-quote="1">%s' % misc.html_escape(ext), html)
def test_quote_thunderbird(self): html = html_sanitize(test_mail_examples.QUOTE_THUNDERBIRD_1) for ext in test_mail_examples.QUOTE_THUNDERBIRD_1_IN: self.assertIn(ext, html) for ext in test_mail_examples.QUOTE_THUNDERBIRD_1_OUT: self.assertIn( u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(ext), html)
def test_edi_source(self): html = html_sanitize(test_mail_examples.EDI_LIKE_HTML_SOURCE) self.assertIn( 'font-family: \'Lucida Grande\', Ubuntu, Arial, Verdana, sans-serif;', html, 'html_sanitize removed valid styling') self.assertIn( 'src="https://www.paypal.com/en_US/i/btn/btn_paynowCC_LG.gif"', html, 'html_sanitize removed valid img') self.assertNotIn('</body></html>', html, 'html_sanitize did not remove extra closing tags')
def test_sanitize_escape_emails(self): emails = [ "Charles <*****@*****.**>", "Dupuis <'tr/-: ${dupuis#$'@truc.baz.fr>", "Technical <service/[email protected]>", "Div nico <*****@*****.**>" ] for email in emails: self.assertIn(misc.html_escape(email), html_sanitize(email), 'html_sanitize stripped emails of original html')
def test_basic_sanitizer(self): cases = [ ("yop", "<p>yop</p>"), # simple ("lala<p>yop</p>xxx", "<p>lala</p><p>yop</p>xxx"), # trailing text ("Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci", u"<p>Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci</p>" ), # unicode ] for content, expected in cases: html = html_sanitize(content) self.assertEqual(html, expected, 'html_sanitize is broken')
def test_quote_signature(self): test_data = [( """<div>Hello<pre>--<br />Administrator</pre></div>""", [ "<pre data-o-mail-quote=\"1\">--", "<br data-o-mail-quote=\"1\">" ], )] for test, in_lst in test_data: new_html = html_sanitize(test) for text in in_lst: self.assertIn(text, new_html)
def test_style_class_only(self): html = html_sanitize(test_mail_examples.REMOVE_CLASS, sanitize_attributes=False, sanitize_style=True, strip_classes=True) for ext in test_mail_examples.REMOVE_CLASS_IN: self.assertIn(ext, html) for ext in test_mail_examples.REMOVE_CLASS_OUT: self.assertNotIn( ext, html, )
def test_html(self): sanitized_html = html_sanitize(test_mail_examples.MISC_HTML_SOURCE) for tag in [ '<div', '<b', '<i', '<u', '<strike', '<li', '<blockquote', '<a href' ]: self.assertIn(tag, sanitized_html, 'html_sanitize stripped too much of original html') for attr in ['javascript']: self.assertNotIn( attr, sanitized_html, 'html_sanitize did not remove enough unwanted attributes')
def test_sanitize_unescape_emails(self): not_emails = [ '<blockquote cite="mid:CAEJSRZvWvud8c6Qp=wfNG6O1+wK3i_jb33qVrF7XyrgPNjnyUA@mail.gmail.com" type="cite">cat</blockquote>', '<img alt="@github-login" class="avatar" src="/web/image/pi" height="36" width="36">' ] for email in not_emails: sanitized = html_sanitize(email) left_part = email.split( '>' )[0] # take only left part, as the sanitizer could add data information on node self.assertNotIn(misc.html_escape(email), sanitized, 'html_sanitize stripped emails of original html') self.assertIn(left_part, sanitized)
def test_mako(self): cases = [('''<p>Some text</p> <% set signup_url = object.get_signup_url() %> % if signup_url: <p> You can access this document and pay online via our Customer Portal: </p>''', '''<p>Some text</p> <% set signup_url = object.get_signup_url() %> % if signup_url: <p> You can access this document and pay online via our Customer Portal: </p>''')] for content, expected in cases: html = html_sanitize(content, silent=False) self.assertEqual(html, expected, 'html_sanitize: broken mako management')
def test_quote_basic_text(self): test_data = [ ("""This is Sparta!\n--\nAdministrator\n+9988776655""", ['This is Sparta!'], ['\n--\nAdministrator\n+9988776655']), ("""<p>This is Sparta!\n--\nAdministrator</p>""", [], ['\n--\nAdministrator']), ("""<p>This is Sparta!<br/>--<br>Administrator</p>""", ['This is Sparta!'], []), ("""This is Sparta!\n>Ah bon ?\nCertes\n> Chouette !\nClair""", ['This is Sparta!', 'Certes', 'Clair'], ['\n>Ah bon ?', '\n> Chouette !']) ] for test, in_lst, out_lst in test_data: new_html = html_sanitize(test) for text in in_lst: self.assertIn(text, new_html) for text in out_lst: self.assertIn( u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(text), new_html)
def send_mail_test(self): self.ensure_one() mails = self.env['mail.mail'] mailing = self.mass_mailing_id test_emails = tools.email_split(self.email_to) for test_mail in test_emails: # Convert links in absolute URLs before the application of the shortener mailing.write({ 'body_html': self.env['mail.template']._replace_local_links( mailing.body_html) }) mail_values = { 'email_from': mailing.email_from, 'reply_to': mailing.reply_to, 'email_to': test_mail, 'subject': mailing.name, 'body_html': tools.html_sanitize(mailing.body_html, sanitize_attributes=True, sanitize_style=True, strip_classes=True), 'notification': True, 'mailing_id': mailing.id, 'attachment_ids': [(4, attachment.id) for attachment in mailing.attachment_ids], 'auto_delete': True, } mail = self.env['mail.mail'].create(mail_values) mails |= mail mails.send() return True
def test_evil_malicious_code(self): # taken from https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Tests cases = [ ("<IMG SRC=javascript:alert('XSS')>"), # no quotes and semicolons ("<IMG SRC=javascript:alert('XSS')>" ), # UTF-8 Unicode encoding ("<IMG SRC=javascript:alert('XSS')>" ), # hex encoding ("<IMG SRC=\"jav
ascript:alert('XSS');\">" ), # embedded carriage return ("<IMG SRC=\"jav
ascript:alert('XSS');\">" ), # embedded newline ("<IMG SRC=\"jav ascript:alert('XSS');\">"), # embedded tab ("<IMG SRC=\"jav	ascript:alert('XSS');\">" ), # embedded encoded tab ("<IMG SRC=\"  javascript:alert('XSS');\">" ), # spaces and meta-characters ("<IMG SRC=\"javascript:alert('XSS')\""), # half-open html ("<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">" ), # malformed tag ("<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" ), # non-alpha-non-digits ("<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>" ), # non-alpha-non-digits ("<<SCRIPT>alert(\"XSS\");//<</SCRIPT>" ), # extraneous open brackets ("<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >" ), # non-closing script tags ("<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">" ), # input image ("<BODY BACKGROUND=\"javascript:alert('XSS')\">"), # body image ("<IMG DYNSRC=\"javascript:alert('XSS')\">"), # img dynsrc ("<IMG LOWSRC=\"javascript:alert('XSS')\">"), # img lowsrc ("<TABLE BACKGROUND=\"javascript:alert('XSS')\">"), # table ("<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">"), # td ("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">" ), # div background ("<DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\">" ), # div background with unicoded exploit ("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">" ), # div background + extra characters ("<IMG SRC='vbscript:msgbox(\"XSS\")'>"), # VBscrip in an image ("<BODY ONLOAD=alert('XSS')>"), # event handler ("<BR SIZE=\"&{alert('XSS')}\>"), # & javascript includes ("<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">" ), # style sheet ("<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">" ), # remote style sheet ("<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>" ), # remote style sheet 2 ("<META HTTP-EQUIV=\"Link\" Content=\"<http://ha.ckers.org/xss.css>; REL=stylesheet\">" ), # remote style sheet 3 ("<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>" ), # remote style sheet 4 ("<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">" ), # style attribute using a comment to break up expression ] for content in cases: html = html_sanitize(content) self.assertNotIn( 'javascript', html, 'html_sanitize did not remove a malicious javascript') self.assertTrue( 'ha.ckers.org' not in html or 'http://ha.ckers.org/xss.css' in html, 'html_sanitize did not remove a malicious code in %s (%s)' % (content, html)) content = "<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->" # down-level hidden block self.assertEquals(html_sanitize(content, silent=False), '')
def generate_email(self, res_ids, fields=None): """Generates an email from the template for given the given model based on records given by res_ids. :param template_id: id of the template to render. :param res_id: id of the record to use for rendering the template (model is taken from template definition) :returns: a dict containing all relevant fields for creating a new mail.mail entry, with one extra key ``attachments``, in the format [(report_name, data)] where data is base64 encoded. """ self.ensure_one() multi_mode = True if isinstance(res_ids, pycompat.integer_types): res_ids = [res_ids] multi_mode = False if fields is None: fields = [ 'subject', 'body_html', 'email_from', 'email_to', 'partner_to', 'email_cc', 'reply_to', 'scheduled_date' ] res_ids_to_templates = self.get_email_template(res_ids) # templates: res_id -> template; template -> res_ids templates_to_res_ids = {} for res_id, template in res_ids_to_templates.items(): templates_to_res_ids.setdefault(template, []).append(res_id) results = dict() for template, template_res_ids in templates_to_res_ids.items(): Template = self.env['mail.template'] # generate fields value for all res_ids linked to the current template if template.lang: Template = Template.with_context( lang=template._context.get('lang')) for field in fields: Template = Template.with_context(safe=field in {'subject'}) generated_field_values = Template.render_template( getattr(template, field), template.model, template_res_ids, post_process=(field == 'body_html')) for res_id, field_value in generated_field_values.items(): results.setdefault(res_id, dict())[field] = field_value # compute recipients if any(field in fields for field in ['email_to', 'partner_to', 'email_cc']): results = template.generate_recipients(results, template_res_ids) # update values for all res_ids for res_id in template_res_ids: values = results[res_id] # body: add user signature, sanitize if 'body_html' in fields and template.user_signature: signature = self.env.user.signature if signature: values['body_html'] = tools.append_content_to_html( values['body_html'], signature, plaintext=False) if values.get('body_html'): values['body'] = tools.html_sanitize(values['body_html']) # technical settings values.update( mail_server_id=template.mail_server_id.id or False, auto_delete=template.auto_delete, model=template.model, res_id=res_id or False, attachment_ids=[ attach.id for attach in template.attachment_ids ], ) # Add report in attachments: generate once for all template_res_ids if template.report_template: for res_id in template_res_ids: attachments = [] report_name = self.render_template(template.report_name, template.model, res_id) report = template.report_template report_service = report.report_name if report.report_type not in ['qweb-html', 'qweb-pdf']: raise UserError( _('Unsupported report type %s found.') % report.report_type) result, format = report.render_qweb_pdf([res_id]) # TODO in trunk, change return format to binary to match message_post expected format result = base64.b64encode(result) if not report_name: report_name = 'report.' + report_service ext = "." + format if not report_name.endswith(ext): report_name += ext attachments.append((report_name, result)) results[res_id]['attachments'] = attachments return multi_mode and results or results[res_ids[0]]
def test_quote_thunderbird_html(self): html = html_sanitize(test_mail_examples.QUOTE_THUNDERBIRD_HTML) for ext in test_mail_examples.QUOTE_THUNDERBIRD_HTML_IN: self.assertIn(ext, html) for ext in test_mail_examples.QUOTE_THUNDERBIRD_HTML_OUT: self.assertIn(ext, html)