def test_style_parsing(self):
test_data = [
('<span style="position: fixed; top: 0px; left: 50px; width: 40%; height: 50%; background-color: red;">Coin coin </span>',
['background-color: red',
'Coin coin'], ['position', 'top', 'left']),
("""<div style='before: "Email Address; coincoin cheval: lapin";
font-size: 30px; max-width: 100%; after: "Not sure
this; means: anything ?#ùµ"
; some-property: 2px; top: 3'>youplaboum</div>""",
['font-size: 30px',
'youplaboum'], ['some-property', 'top', 'cheval']),
('<span style="width">Coincoin</span>', [], ['width'])
]
for test, in_lst, out_lst in test_data:
new_html = html_sanitize(test,
strict=False,
strip_style=False,
strip_classes=False)
for text in in_lst:
self.assertIn(text, new_html)
for text in out_lst:
self.assertNotIn(text, new_html)
# style should not be sanitized if removed
new_html = html_sanitize(test_data[0][0],
strict=False,
strip_style=True,
strip_classes=False)
self.assertEqual(new_html, u'<span>Coin coin </span>')
def _get_desc(self, cr, uid, ids, field_name=None, arg=None, context=None):
res = dict.fromkeys(ids, "")
for module in self.browse(cr, uid, ids, context=context):
path = get_module_resource(module.name, "static/description/index.html")
if path:
with tools.file_open(path, "rb") as desc_file:
doc = desc_file.read()
html = lxml.html.document_fromstring(doc)
for element, attribute, link, pos in html.iterlinks():
if (
element.get("src")
and not "//" in element.get("src")
and not "static/" in element.get("src")
):
element.set("src", "/%s/static/description/%s" % (module.name, element.get("src")))
res[module.id] = html_sanitize(lxml.html.tostring(html))
else:
overrides = {
"embed_stylesheet": False,
"doctitle_xform": False,
"output_encoding": "unicode",
"xml_declaration": False,
}
output = publish_string(
source=module.description or "", settings_overrides=overrides, writer=MyWriter()
)
res[module.id] = html_sanitize(output)
return res
def test_style_parsing(self):
test_data = [
(
'<span style="position: fixed; top: 0px; left: 50px; width: 40%; height: 50%; background-color: red;">Coin coin </span>',
['background-color: red', 'Coin coin'],
['position', 'top', 'left']
), (
"""<div style='before: "Email Address; coincoin cheval: lapin";
font-size: 30px; max-width: 100%; after: "Not sure
this; means: anything ?#ùµ"
; some-property: 2px; top: 3'>youplaboum</div>""",
['font-size: 30px', 'youplaboum'],
['some-property', 'top', 'cheval']
), (
'<span style="width">Coincoin</span>',
[],
['width']
)
]
for test, in_lst, out_lst in test_data:
new_html = html_sanitize(test, strict=False, strip_style=False, strip_classes=False)
for text in in_lst:
self.assertIn(text, new_html)
for text in out_lst:
self.assertNotIn(text, new_html)
# style should not be sanitized if removed
new_html = html_sanitize(test_data[0][0], strict=False, strip_style=True, strip_classes=False)
self.assertEqual(new_html, u'<span>Coin coin </span>')
def _get_desc(self, cr, uid, ids, field_name=None, arg=None, context=None):
res = dict.fromkeys(ids, '')
for module in self.browse(cr, uid, ids, context=context):
path = get_module_resource(module.name,
'static/description/index.html')
if path:
with tools.file_open(path, 'rb') as desc_file:
doc = desc_file.read()
html = lxml.html.document_fromstring(doc)
for element, attribute, link, pos in html.iterlinks():
if element.get('src') and not '//' in element.get(
'src') and not 'static/' in element.get('src'):
element.set(
'src', "/%s/static/description/%s" %
(module.name, element.get('src')))
res[module.id] = html_sanitize(lxml.html.tostring(html))
else:
overrides = {
'embed_stylesheet': False,
'doctitle_xform': False,
'output_encoding': 'unicode',
'xml_declaration': False,
}
output = publish_string(source=module.description or '',
settings_overrides=overrides,
writer=MyWriter())
res[module.id] = html_sanitize(output)
return res
def test_evil_malicious_code(self):
# taken from https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Tests
cases = [
("<IMG SRC=javascript:alert('XSS')>"), # no quotes and semicolons
(
"<IMG SRC=javascript:alert('XSS')>"
), # UTF-8 Unicode encoding
(
"<IMG SRC=javascript:alert('XSS')>"
), # hex encoding
("<IMG SRC=\"jav
ascript:alert('XSS');\">"), # embedded carriage return
("<IMG SRC=\"jav
ascript:alert('XSS');\">"), # embedded newline
("<IMG SRC=\"jav ascript:alert('XSS');\">"), # embedded tab
("<IMG SRC=\"jav	ascript:alert('XSS');\">"), # embedded encoded tab
("<IMG SRC=\"  javascript:alert('XSS');\">"), # spaces and meta-characters
("<IMG SRC=\"javascript:alert('XSS')\""), # half-open html
('<IMG """><SCRIPT>alert("XSS")</SCRIPT>">'), # malformed tag
('<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>'), # non-alpha-non-digits
('<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>'), # non-alpha-non-digits
('<<SCRIPT>alert("XSS");//<</SCRIPT>'), # extraneous open brackets
("<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >"), # non-closing script tags
('<INPUT TYPE="IMAGE" SRC="javascript:alert(\'XSS\');">'), # input image
("<BODY BACKGROUND=\"javascript:alert('XSS')\">"), # body image
("<IMG DYNSRC=\"javascript:alert('XSS')\">"), # img dynsrc
("<IMG LOWSRC=\"javascript:alert('XSS')\">"), # img lowsrc
("<TABLE BACKGROUND=\"javascript:alert('XSS')\">"), # table
("<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">"), # td
("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"), # div background
(
"<DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\">"
), # div background with unicoded exploit
("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"), # div background + extra characters
("<IMG SRC='vbscript:msgbox(\"XSS\")'>"), # VBscrip in an image
("<BODY ONLOAD=alert('XSS')>"), # event handler
("<BR SIZE=\"&{alert('XSS')}\>"), # & javascript includes
('<LINK REL="stylesheet" HREF="javascript:alert(\'XSS\');">'), # style sheet
('<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">'), # remote style sheet
("<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>"), # remote style sheet 2
(
'<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">'
), # remote style sheet 3
('<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>'), # remote style sheet 4
(
"<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">"
), # style attribute using a comment to break up expression
]
for content in cases:
html = html_sanitize(content)
self.assertNotIn("javascript", html, "html_sanitize did not remove a malicious javascript")
self.assertTrue(
"ha.ckers.org" not in html or "http://ha.ckers.org/xss.css" in html,
"html_sanitize did not remove a malicious code in %s (%s)" % (content, html),
)
content = "<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->" # down-level hidden block
self.assertEquals(html_sanitize(content, silent=False), "")
def test_quote_hotmail_html(self):
html = html_sanitize(test_mail_examples.QUOTE_HOTMAIL_HTML)
for ext in test_mail_examples.QUOTE_HOTMAIL_HTML_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.QUOTE_HOTMAIL_HTML_OUT:
self.assertIn(ext, html)
html = html_sanitize(test_mail_examples.HOTMAIL_1)
for ext in test_mail_examples.HOTMAIL_1_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.HOTMAIL_1_OUT:
self.assertIn(ext, html)
def test_quote_hotmail_html(self):
html = html_sanitize(test_mail_examples.QUOTE_HOTMAIL_HTML)
for ext in test_mail_examples.QUOTE_HOTMAIL_HTML_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.QUOTE_HOTMAIL_HTML_OUT:
self.assertIn(ext, html)
html = html_sanitize(test_mail_examples.HOTMAIL_1)
for ext in test_mail_examples.HOTMAIL_1_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.HOTMAIL_1_OUT:
self.assertIn(ext, html)
def test_quote_text(self):
html = html_sanitize(test_mail_examples.TEXT_1)
for ext in test_mail_examples.TEXT_1_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.TEXT_1_OUT:
self.assertIn('<span data-o-mail-quote="1">%s</span>' % cgi.escape(ext), html)
html = html_sanitize(test_mail_examples.TEXT_2)
for ext in test_mail_examples.TEXT_2_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.TEXT_2_OUT:
self.assertIn('<span data-o-mail-quote="1">%s</span>' % cgi.escape(ext), html)
def test_misc(self):
# False / void should not crash
html = html_sanitize('')
self.assertEqual(html, '')
html = html_sanitize(False)
self.assertEqual(html, False)
# Message with xml and doctype tags don't crash
html = html_sanitize(u'<?xml version="1.0" encoding="iso-8859-1"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\n "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\n<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">\n <head>\n <title>404 - Not Found</title>\n </head>\n <body>\n <h1>404 - Not Found</h1>\n </body>\n</html>\n')
self.assertNotIn('encoding', html)
self.assertNotIn('<title>404 - Not Found</title>', html)
self.assertIn('<h1>404 - Not Found</h1>', html)
def test_html(self):
sanitized_html = html_sanitize(test_mail_examples.MISC_HTML_SOURCE)
for tag in ['<div', '<b', '<i', '<u', '<strike', '<li', '<blockquote', '<a href']:
self.assertIn(tag, sanitized_html, 'html_sanitize stripped too much of original html')
for attr in ['javascript']:
self.assertNotIn(attr, sanitized_html, 'html_sanitize did not remove enough unwanted attributes')
emails = [("Charles <*****@*****.**>", "Charles <[email protected]>"),
("Dupuis <'tr/-: ${dupuis#$'@truc.baz.fr>", "Dupuis <'tr/-: ${dupuis#$'@truc.baz.fr>"),
("Technical <service/[email protected]>", "Technical <service/[email protected]>"),
("Div nico <*****@*****.**>", "Div nico <[email protected]>")]
for email in emails:
self.assertIn(email[1], html_sanitize(email[0]), 'html_sanitize stripped emails of original html')
def test_html(self):
sanitized_html = html_sanitize(test_mail_examples.MISC_HTML_SOURCE)
for tag in ['<div', '<b', '<i', '<u', '<strike', '<li', '<blockquote', '<a href']:
self.assertIn(tag, sanitized_html, 'html_sanitize stripped too much of original html')
for attr in ['javascript']:
self.assertNotIn(attr, sanitized_html, 'html_sanitize did not remove enough unwanted attributes')
emails = [("Charles <*****@*****.**>", "Charles <[email protected]>"),
("Dupuis <'tr/-: ${dupuis#$'@truc.baz.fr>", "Dupuis <'tr/-: ${dupuis#$'@truc.baz.fr>"),
("Technical <service/[email protected]>", "Technical <service/[email protected]>"),
("Div nico <*****@*****.**>", "Div nico <[email protected]>")]
for email in emails:
self.assertIn(email[1], html_sanitize(email[0]), 'html_sanitize stripped emails of original html')
def test_misc(self):
# False / void should not crash
html = html_sanitize('')
self.assertEqual(html, '')
html = html_sanitize(False)
self.assertEqual(html, False)
# Message with xml and doctype tags don't crash
html = html_sanitize(
u'<?xml version="1.0" encoding="iso-8859-1"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\n "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\n<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">\n <head>\n <title>404 - Not Found</title>\n </head>\n <body>\n <h1>404 - Not Found</h1>\n </body>\n</html>\n'
)
self.assertNotIn('encoding', html)
self.assertNotIn('<title>404 - Not Found</title>', html)
self.assertIn('<h1>404 - Not Found</h1>', html)
def message_update(self, msg_dict, update_vals=None):
""" Override to update the support ticket according to the email. """
if self.close_lock:
# Send lock email
setting_ticket_lock_email_template_id = self.env['ir.default'].get('website.support.settings', 'ticket_lock_email_template_id')
if setting_ticket_lock_email_template_id:
mail_template = self.env['mail.template'].browse(setting_ticket_lock_email_template_id)
else:
# BACK COMPATABLITY FAIL SAFE
mail_template = self.env['ir.model'].get_object('website_support', 'support_ticket_close_lock')
mail_template.send_mail(self.id, True)
return False
body_short = tools.html_sanitize(msg_dict['body'])
#body_short = tools.html_email_clean(msg_dict['body'], shorten=True, remove=True)
#Add to message history to keep HTML clean
self.conversation_history.create({'ticket_id': self.id, 'by': 'customer', 'content': body_short })
#If the to email address is to the customer then it must be a staff member
if msg_dict.get('to') == self.email:
change_state = self.env['ir.model.data'].get_object('website_support','website_ticket_state_staff_replied')
else:
change_state = self.env['ir.model.data'].get_object('website_support','website_ticket_state_customer_replied')
self.state = change_state.id
return super(WebsiteSupportTicket, self).message_update(msg_dict, update_vals=update_vals)
def convert_answer_to_comment(self):
""" Tools to convert an answer (forum.post) to a comment (mail.message).
The original post is unlinked and a new comment is posted on the question
using the post create_uid as the comment's author. """
if not self.parent_id:
return False
# karma-based action check: use the post field that computed own/all value
if not self.can_comment_convert:
raise KarmaError('Not enough karma to convert an answer to a comment')
# post the message
question = self.parent_id
values = {
'author_id': self.sudo().create_uid.partner_id.id, # use sudo here because of access to res.users model
'body': tools.html_sanitize(self.content, strict=True, strip_style=True, strip_classes=True),
'message_type': 'comment',
'subtype': 'mail.mt_comment',
'date': self.create_date,
}
new_message = self.browse(question.id).with_context(mail_create_nosubscribe=True).message_post(**values)
# unlink the original answer, using SUPERUSER_ID to avoid karma issues
self.sudo().unlink()
return new_message
def test_quote_text(self):
html = html_sanitize(test_mail_examples.TEXT_1)
for ext in test_mail_examples.TEXT_1_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.TEXT_1_OUT:
self.assertIn(
'<span data-o-mail-quote="1">%s</span>' % cgi.escape(ext),
html)
html = html_sanitize(test_mail_examples.TEXT_2)
for ext in test_mail_examples.TEXT_2_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.TEXT_2_OUT:
self.assertIn(
'<span data-o-mail-quote="1">%s</span>' % cgi.escape(ext),
html)
def generate_email(self, cr, uid, template_id, res_id, context=None):
"""Generates an email from the template for given (model, res_id) pair.
:param template_id: id of the template to render.
:param res_id: id of the record to use for rendering the template (model
is taken from template definition)
:returns: a dict containing all relevant fields for creating a new
mail.mail entry, with one extra key ``attachments``, in the
format [(report_name, data)] where data is base64 encoded.
"""
if context is None:
context = {}
report_xml_pool = self.pool.get('ir.actions.report.xml')
template = self.get_email_template(cr, uid, template_id, res_id, context)
values = {}
for field in ['subject', 'body_html', 'email_from',
'email_to', 'email_recipients', 'email_cc', 'reply_to']:
values[field] = self.render_template(cr, uid, getattr(template, field),
template.model, res_id, context=context) \
or False
if template.user_signature:
signature = self.pool.get('res.users').browse(cr, uid, uid, context).signature
values['body_html'] = tools.append_content_to_html(values['body_html'], signature)
if values['body_html']:
values['body'] = tools.html_sanitize(values['body_html'])
values.update(mail_server_id=template.mail_server_id.id or False,
auto_delete=template.auto_delete,
model=template.model,
res_id=res_id or False)
attachments = []
# Add report in attachments
if template.report_template:
report_name = self.render_template(cr, uid, template.report_name, template.model, res_id, context=context)
report_service = 'report.' + report_xml_pool.browse(cr, uid, template.report_template.id, context).report_name
# Ensure report is rendered using template's language
ctx = context.copy()
if template.lang:
ctx['lang'] = self.render_template(cr, uid, template.lang, template.model, res_id, context)
service = netsvc.LocalService(report_service)
(result, format) = service.create(cr, uid, [res_id], {'model': template.model}, ctx)
# TODO in trunk, change return format to binary to match message_post expected format
result = base64.b64encode(result)
if not report_name:
report_name = report_service
ext = "." + format
if not report_name.endswith(ext):
report_name += ext
attachments.append((report_name, result))
attachment_ids = []
# Add template attachments
for attach in template.attachment_ids:
attachment_ids.append(attach.id)
values['attachments'] = attachments
values['attachment_ids'] = attachment_ids
return values
def message_new(self, msg, custom_values=None):
""" Create new support ticket upon receiving new email"""
defaults = {'support_email': msg.get('to'), 'subject': msg.get('subject')}
#Extract the name from the from email if you can
if "<" in msg.get('from') and ">" in msg.get('from'):
start = msg.get('from').rindex( "<" ) + 1
end = msg.get('from').rindex( ">", start )
from_email = msg.get('from')[start:end]
from_name = msg.get('from').split("<")[0].strip()
defaults['person_name'] = from_name
else:
from_email = msg.get('from')
defaults['email'] = from_email
defaults['channel'] = "Email"
#Try to find the partner using the from email
search_partner = self.env['res.partner'].sudo().search([('email','=', from_email)])
if len(search_partner) > 0:
defaults['partner_id'] = search_partner[0].id
defaults['person_name'] = search_partner[0].name
defaults['description'] = tools.html_sanitize(msg.get('body'))
#Assign to default category
setting_email_default_category_id = self.env['ir.default'].get('website.support.settings', 'email_default_category_id')
if setting_email_default_category_id:
defaults['category'] = setting_email_default_category_id
return super(WebsiteSupportTicket, self).message_new(msg, custom_values=defaults)
def send_get_email_dict(self, cr, uid, mail, partner=None, context=None):
"""Return a dictionary for specific email values, depending on a
partner, or generic to the whole recipients given by mail.email_to.
:param browse_record mail: mail.mail browse_record
:param browse_record partner: specific recipient partner
"""
body = self.send_get_mail_body(cr,
uid,
mail,
partner=partner,
context=context)
body_alternative = tools.html2plaintext(tools.html_sanitize(body))
res = {
'body':
body,
'body_alternative':
body_alternative,
'subject':
self.send_get_mail_subject(cr,
uid,
mail,
partner=partner,
context=context),
'email_to':
self.send_get_mail_to(cr,
uid,
mail,
partner=partner,
context=context),
}
return res
def message_new(self, msg, custom_values=None):
""" Create new support ticket upon receiving new email"""
from_email = msg.get('from')
from_name = msg.get('from')
if "<" in msg.get('from') and ">" in msg.get('from'):
start = msg.get('from').rindex( "<" ) + 1
end = msg.get('from').rindex( ">", start )
from_email = msg.get('from')[start:end]
from_name = msg.get('from').split("<")[0].strip()
search_partner = self.env['res.partner'].sudo().search([('email','=', from_email )])
partner_id = False
if len(search_partner) > 0:
partner_id = search_partner[0].id
from_name = search_partner[0].name
body_short = tools.html_sanitize(msg.get('body'))
#body_short = tools.html_email_clean(msg.get('body'), shorten=True, remove=True)
portal_access_key = randint(1000000000,2000000000)
defaults = {'partner_id': partner_id, 'person_name': from_name, 'email': msg.get('from'), 'subject': msg.get('subject'), 'description': body_short, 'portal_access_key': portal_access_key}
return super(WebsiteSupportTicket, self).message_new(msg, custom_values=defaults)
def message_new(self, msg, custom_values=None):
""" Create new support ticket upon receiving new email"""
defaults = {'support_email': msg.get('to'), 'subject': msg.get('subject')}
#Extract the name from the from email if you can
if "<" in msg.get('from') and ">" in msg.get('from'):
start = msg.get('from').rindex( "<" ) + 1
end = msg.get('from').rindex( ">", start )
from_email = msg.get('from')[start:end]
from_name = msg.get('from').split("<")[0].strip()
defaults['person_name'] = from_name
else:
from_email = msg.get('from')
defaults['email'] = from_email
defaults['channel'] = "Email"
#Try to find the partner using the from email
search_partner = self.env['res.partner'].sudo().search([('email','=', from_email)])
if len(search_partner) > 0:
defaults['partner_id'] = search_partner[0].id
defaults['person_name'] = search_partner[0].name
defaults['description'] = tools.html_sanitize(msg.get('body'))
#Assign to default category
setting_email_default_category_id = self.env['ir.default'].get('website.support.settings', 'email_default_category_id')
if setting_email_default_category_id:
defaults['category'] = setting_email_default_category_id
return super(WebsiteSupportTicket, self).message_new(msg, custom_values=defaults)
def message_new(self, msg, custom_values=None):
""" Create new support ticket upon receiving new email"""
defaults = {
'support_email': msg.get('to'),
'subject': msg.get('subject')
}
#Extract the name from the from email if you can
if "<" in msg.get('from') and ">" in msg.get('from'):
start = msg.get('from').rindex("<") + 1
end = msg.get('from').rindex(">", start)
from_email = msg.get('from')[start:end]
from_name = msg.get('from').split("<")[0].strip()
defaults['first_name'] = from_name
else:
from_email = msg.get('from')
defaults['email'] = from_email
#Try to find the partner using the from email
search_partner = self.env['res.partner'].sudo().search([('email', '=',
from_email)])
if len(search_partner) > 0:
defaults['partner_id'] = search_partner[0].id
defaults['first_name'] = search_partner[0].name
defaults['description'] = tools.html_sanitize(msg.get('body'))
portal_access_key = randint(1000000000, 2000000000)
defaults['portal_access_key'] = portal_access_key
return super(WebsiteSupportTicket,
self).message_new(msg, custom_values=defaults)
def convert_answer_to_comment(self):
""" Tools to convert an answer (forum.post) to a comment (mail.message).
The original post is unlinked and a new comment is posted on the question
using the post create_uid as the comment's author. """
if not self.parent_id:
return False
# karma-based action check: use the post field that computed own/all value
if not self.can_comment_convert:
raise KarmaError('Not enough karma to convert an answer to a comment')
# post the message
question = self.parent_id
values = {
'author_id': self.sudo().create_uid.partner_id.id, # use sudo here because of access to res.users model
'body': tools.html_sanitize(self.content, strict=True, strip_style=True, strip_classes=True),
'type': 'comment',
'subtype': 'mail.mt_comment',
'date': self.create_date,
}
new_message = self.browse(question.id).with_context(mail_create_nosubscribe=True).message_post(**values)
# unlink the original answer, using SUPERUSER_ID to avoid karma issues
self.sudo().unlink()
return new_message
def generate_email(self, res_ids, fields=None):
multi_mode = True
if isinstance(res_ids, (int, long)):
res_ids = [res_ids]
multi_mode = False
result = super(MailTemplate, self).generate_email(res_ids,
fields=fields)
for record_id, this in self.get_email_template(res_ids).iteritems():
if this.body_type == 'qweb' and\
(not fields or 'body_html' in fields):
for record in self.env[this.model].browse(record_id):
body_html = this.body_view_id.render({
'object':
record,
'email_template':
this,
})
# Some wizards, like when sending a sales order, need this
# fix to display accents correctly
if not isinstance(body_html, unicode):
body_html = body_html.decode('utf-8')
result[record_id]['body_html'] = self.render_post_process(
body_html)
result[record_id]['body'] = tools.html_sanitize(
result[record_id]['body_html'])
return multi_mode and result or result[res_ids[0]]
def message_update(self, msg_dict, update_vals=None):
""" Override to update the support ticket according to the email. """
body_short = tools.html_sanitize(msg_dict['body'])
#body_short = tools.html_email_clean(msg_dict['body'], shorten=True, remove=True)
#s = MLStripper()
#s.feed(body_short)
#body_short = s.get_data()
#Add to message history field for back compatablity
self.conversation_history.create({
'ticket_id': self.id,
'by': 'customer',
'content': body_short
})
#If the to email address is to the customer then it must be a staff member...
if msg_dict.get('to') == self.email:
change_state = self.env['ir.model.data'].get_object(
'website_support', 'website_ticket_state_staff_replied')
else:
change_state = self.env['ir.model.data'].get_object(
'website_support', 'website_ticket_state_customer_replied')
self.state = change_state.id
return super(WebsiteSupportTicket,
self).message_update(msg_dict, update_vals=update_vals)
def generate_email_batch(self, template_id, res_ids, fields=None):
result = super(EmailTemplate, self).generate_email_batch(template_id,
res_ids,
fields=fields)
this = self.browse(template_id)
for record_id, this in self.get_email_template_batch(
template_id, res_ids).iteritems():
if this.model_id.model == 'newsletter.newsletter' and\
self.env.context.get('newsletter_res_id') and\
this.body_type == 'qweb' and\
(not fields or 'body_html' in fields):
for record in self.env[this.model].browse(record_id):
result[record_id]['body_html'] = self.env['ir.qweb']\
._model.render_node(
etree.fromstring(
result[record_id]['body_html'],
etree.HTMLParser()
),
self
._generate_email_batch_get_newsletter_qcontext({
'object': self.env[record.type_id.model.model]
.browse(self.env.context['newsletter_res_id']),
'newsletter': record,
}),
)
result[record_id]['body'] = tools.html_sanitize(
result[record_id]['body_html'])
return result
def test_quote_basic_text(self):
test_data = [
(
"""This is Sparta!\n--\nAdministrator\n+9988776655""",
['This is Sparta!'],
['\n--\nAdministrator\n+9988776655']
), (
"""<p>This is Sparta!\n--\nAdministrator</p>""",
[],
['\n--\nAdministrator']
), (
"""<p>This is Sparta!<br/>--<br>Administrator</p>""",
['This is Sparta!'],
[]
), (
"""This is Sparta!\n>Ah bon ?\nCertes\n> Chouette !\nClair""",
['This is Sparta!', 'Certes', 'Clair'],
['\n>Ah bon ?', '\n> Chouette !']
)
]
for test, in_lst, out_lst in test_data:
new_html = html_sanitize(test)
for text in in_lst:
self.assertIn(text, new_html)
for text in out_lst:
self.assertIn('<span data-o-mail-quote="1">%s</span>' % cgi.escape(text), new_html)
def migrate_phonecalls(env):
activity = env.ref('crm.crm_activity_data_call')
env.cr.execute(
'select id, opportunity_id, partner_id, '
'coalesce(user_id, write_uid, create_uid) as user_id, '
'name, description, partner_phone, partner_mobile '
'from crm_phonecall '
"where active and state not in ('cancel')")
env = env(context={
'mail_post_autofollow': False,
'mail_create_nosubscribe': True,
})
for phonecall in env.cr.dictfetchall():
record = env['res.users'].browse(phonecall['user_id'])
if phonecall['opportunity_id']: # pragma: no cover
record = env['crm.lead'].browse(phonecall['opportunity_id'])
if phonecall['partner_id']:
record = env['res.partner'].browse(phonecall['partner_id'])
body = (
'<div>%(description)s</div><div>%(partner_phone)s</div>'
'<div>%(partner_mobile)s</div><div>Phone call %(id)s</div>'
) % {
key: html_sanitize(value)
for key, value in phonecall.iteritems()
}
record.message_post(
body=body, subject=phonecall['name'] or 'Phone call',
subtype_id=activity.subtype_id.id)
def generate_email(self, cr, uid, template_id, res_id, context=None):
"""Generates an email from the template for given (model, res_id) pair.
:param template_id: id of the template to render.
:param res_id: id of the record to use for rendering the template (model
is taken from template definition)
:returns: a dict containing all relevant fields for creating a new
mail.mail entry, with one extra key ``attachments``, in the
format expected by :py:meth:`mail_thread.message_post`.
"""
if context is None:
context = {}
report_xml_pool = self.pool.get('ir.actions.report.xml')
template = self.get_email_template(cr, uid, template_id, res_id, context)
values = {}
for field in ['subject', 'body_html', 'email_from',
'email_to', 'email_recipients', 'email_cc', 'reply_to']:
values[field] = self.render_template(cr, uid, getattr(template, field),
template.model, res_id, context=context) \
or False
if template.user_signature:
signature = self.pool.get('res.users').browse(cr, uid, uid, context).signature
values['body_html'] = tools.append_content_to_html(values['body_html'], signature)
if values['body_html']:
values['body'] = tools.html_sanitize(values['body_html'])
values.update(mail_server_id=template.mail_server_id.id or False,
auto_delete=template.auto_delete,
model=template.model,
res_id=res_id or False)
attachments = []
# Add report in attachments
if template.report_template:
report_name = self.render_template(cr, uid, template.report_name, template.model, res_id, context=context)
report_service = 'report.' + report_xml_pool.browse(cr, uid, template.report_template.id, context).report_name
# Ensure report is rendered using template's language
ctx = context.copy()
if template.lang:
ctx['lang'] = self.render_template(cr, uid, template.lang, template.model, res_id, context)
service = netsvc.LocalService(report_service)
(result, format) = service.create(cr, uid, [res_id], {'model': template.model}, ctx)
result = base64.b64encode(result)
if not report_name:
report_name = report_service
ext = "." + format
if not report_name.endswith(ext):
report_name += ext
attachments.append((report_name, result))
attachment_ids = []
# Add template attachments
for attach in template.attachment_ids:
attachment_ids.append(attach.id)
values['attachments'] = attachments
values['attachment_ids'] = attachment_ids
return values
def _get_desc(self, cr, uid, ids, field_name=None, arg=None, context=None):
res = dict.fromkeys(ids, '')
for module in self.browse(cr, uid, ids, context=context):
overrides = dict(embed_stylesheet=False, doctitle_xform=False,
output_encoding='unicode', xml_declaration=False)
output = publish_string(source=module.description, settings_overrides=overrides, writer=MyWriter())
res[module.id] = html_sanitize(output)
return res
def test_quote_blockquote(self):
html = html_sanitize(test_mail_examples.QUOTE_BLOCKQUOTE)
for ext in test_mail_examples.QUOTE_BLOCKQUOTE_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.QUOTE_BLOCKQUOTE_OUT:
self.assertIn(
'<span data-o-mail-quote="1">%s' %
cgi.escape(ext.decode('utf-8')), html)
def test_quote_thunderbird(self):
html = html_sanitize(test_mail_examples.QUOTE_THUNDERBIRD_1)
for ext in test_mail_examples.QUOTE_THUNDERBIRD_1_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.QUOTE_THUNDERBIRD_1_OUT:
self.assertIn(
'<span data-o-mail-quote="1">%s</span>' %
cgi.escape(ext.decode('utf-8')), html)
def _compute_description_rst_html(self):
for version in self:
if version.description_rst:
try:
output = publish_string(
source=version.description_rst,
settings_overrides=self._SETTING_OVERRIDES,
writer=MyWriter())
except:
output =\
"<h1 style='color:red;'>" +\
_("Incorrect RST Description") +\
"</h1>"
else:
output = html_sanitize("<h1 style='color:gray;'>" +
_("No Version Found") + "</h1>")
version.description_rst_html = html_sanitize(output)
def test_quote_bugs(self):
html = html_sanitize(test_mail_examples.BUG1)
for ext in test_mail_examples.BUG_1_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.BUG_1_OUT:
self.assertIn(
'<span data-o-mail-quote="1">%s</span>' %
cgi.escape(ext.decode('utf-8')), html)
def test_sanitize_unescape_emails(self):
not_emails = [
'<blockquote cite="mid:CAEJSRZvWvud8c6Qp=wfNG6O1+wK3i_jb33qVrF7XyrgPNjnyUA@mail.gmail.com" type="cite">cat</blockquote>',
'<img alt="@github-login" class="avatar" src="/web/image/pi" height="36" width="36">']
for email in not_emails:
sanitized = html_sanitize(email)
left_part = email.split('>')[0] # take only left part, as the sanitizer could add data information on node
self.assertNotIn(cgi.escape(email), sanitized, 'html_sanitize stripped emails of original html')
self.assertIn(left_part, sanitized)
def test_edi_source(self):
html = html_sanitize(test_mail_examples.EDI_LIKE_HTML_SOURCE)
self.assertIn('div style="font-family: \'Lucica Grande\', Ubuntu, Arial, Verdana, sans-serif; font-size: 12px; color: rgb(34, 34, 34); background-color: #FFF;', html,
'html_sanitize removed valid style attribute')
self.assertIn('<span style="color: #222; margin-bottom: 5px; display: block; ">', html,
'html_sanitize removed valid style attribute')
self.assertIn('img class="oe_edi_paypal_button" src="https://www.paypal.com/en_US/i/btn/btn_paynowCC_LG.gif"', html,
'html_sanitize removed valid img')
self.assertNotIn('</body></html>', html, 'html_sanitize did not remove extra closing tags')
def generate_sms_batch(self, cr, uid, sms_template_id, res_ids, context=None, fields=None):
"""Generates an sms from the template for given the given model based on
records given by res_ids.
:param sms_template_id: id of the template to render.
:param res_id: id of the record to use for rendering the template (model
is taken from template definition)
:returns: a dict containing all relevant fields for creating a new
sms.sms entry(smsclient), with one extra key ``attachments``, in the
format [(report_name, data)] where data is base64 encoded.
"""
if context is None:
context = {}
if fields is None:
fields = ['body_html', 'sms_from', 'sms_to']
report_xml_pool = self.pool.get('ir.actions.report.xml')
res_ids_to_templates = self.get_sms_template_batch(cr, uid, sms_template_id, res_ids, context)
# templates: res_id -> template; template -> res_ids
templates_to_res_ids = {}
for res_id, template in res_ids_to_templates.iteritems():
templates_to_res_ids.setdefault(template, []).append(res_id)
results = dict()
for template, template_res_ids in templates_to_res_ids.iteritems():
# generate fields value for all res_ids linked to the current template
for field in fields:
generated_field_values = self.render_template_batch(
cr, uid, getattr(template, field), template.model, template_res_ids,
post_process=(field == 'body_html'),
context=context)
for res_id, field_value in generated_field_values.iteritems():
results.setdefault(res_id, dict())[field] = field_value
# compute recipients
#results = self.generate_recipients_batch(cr, uid, results, template.id, template_res_ids, context=context)
# update values for all res_ids
for res_id in template_res_ids:
values = results[res_id]
# body: add user signature, sanitize
if 'body_html' in fields and template.user_signature:
signature = self.pool.get('res.users').browse(cr, uid, uid, context).signature
values['body_html'] = tools.append_content_to_html(values['body_html'], signature)
if values.get('body_html'):
values['body'] = tools.html_sanitize(values['body_html'])
# technical settings
values.update(
sms_server_id=template.sms_server_id.id or False,
auto_delete=template.auto_delete,
model=template.model,
res_id=res_id or False,
attachment_ids=[attach.id for attach in template.attachment_ids],
)
# Add report in attachments: generate once for all template_res_ids
return results
def test_sanitize_escape_emails(self):
emails = [
"Charles <*****@*****.**>",
"Dupuis <'tr/-: ${dupuis#$'@truc.baz.fr>",
"Technical <service/[email protected]>",
"Div nico <*****@*****.**>"
]
for email in emails:
self.assertIn(cgi.escape(email), html_sanitize(email), 'html_sanitize stripped emails of original html')
def test_edi_source(self):
html = html_sanitize(test_mail_examples.EDI_LIKE_HTML_SOURCE)
self.assertIn(
'font-family: \'Lucida Grande\', Ubuntu, Arial, Verdana, sans-serif;', html,
'html_sanitize removed valid styling')
self.assertIn(
'src="https://www.paypal.com/en_US/i/btn/btn_paynowCC_LG.gif"', html,
'html_sanitize removed valid img')
self.assertNotIn('</body></html>', html, 'html_sanitize did not remove extra closing tags')
def test_edi_source(self):
html = html_sanitize(test_mail_examples.EDI_LIKE_HTML_SOURCE)
self.assertIn('div style="font-family: \'Lucica Grande\', Ubuntu, Arial, Verdana, sans-serif; font-size: 12px; color: rgb(34, 34, 34); background-color: #FFF;', html,
'html_sanitize removed valid style attribute')
self.assertIn('<span style="color: #222; margin-bottom: 5px; display: block; ">', html,
'html_sanitize removed valid style attribute')
self.assertIn('img class="oe_edi_paypal_button" src="https://www.paypal.com/en_US/i/btn/btn_paynowCC_LG.gif"', html,
'html_sanitize removed valid img')
self.assertNotIn('</body></html>', html, 'html_sanitize did not remove extra closing tags')
def test_basic_sanitizer(self):
cases = [
("yop", "<p>yop</p>"), # simple
("lala<p>yop</p>xxx", "<p>lala</p><p>yop</p>xxx"), # trailing text
("Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci",
u"<p>Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci</p>"), # unicode
]
for content, expected in cases:
html = html_sanitize(content)
self.assertEqual(html, expected, 'html_sanitize is broken')
def test_edi_source(self):
html = html_sanitize(test_mail_examples.EDI_LIKE_HTML_SOURCE)
self.assertIn(
'font-family: \'Lucida Grande\', Ubuntu, Arial, Verdana, sans-serif;',
html, 'html_sanitize removed valid styling')
self.assertIn(
'src="https://www.paypal.com/en_US/i/btn/btn_paynowCC_LG.gif"',
html, 'html_sanitize removed valid img')
self.assertNotIn('</body></html>', html,
'html_sanitize did not remove extra closing tags')
def test_sanitize_escape_emails_cite(self):
not_emails = [
'<blockquote cite="mid:CAEJSRZvWvud8c6Qp=wfNG6O1+wK3i_jb33qVrF7XyrgPNjnyUA@mail.gmail.com" type="cite">cat</blockquote>']
for email in not_emails:
sanitized = html_sanitize(email)
self.assertNotIn(cgi.escape(email), sanitized, 'html_sanitize stripped emails of original html')
self.assertIn(
'<blockquote cite="mid:CAEJSRZvWvud8c6Qp=wfNG6O1+wK3i_jb33qVrF7XyrgPNjnyUA@mail.gmail.com"',
sanitized,
'html_sanitize escaped valid address-like')
def test_sanitize_escape_emails(self):
emails = [
"Charles <*****@*****.**>",
"Dupuis <'tr/-: ${dupuis#$'@truc.baz.fr>",
"Technical <service/[email protected]>",
"Div nico <*****@*****.**>"
]
for email in emails:
self.assertIn(cgi.escape(email), html_sanitize(email),
'html_sanitize stripped emails of original html')
def test_evil_malicious_code(self):
# taken from https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Tests
cases = [
("<IMG SRC=javascript:alert('XSS')>"), # no quotes and semicolons
("<IMG SRC=javascript:alert('XSS')>"), # UTF-8 Unicode encoding
("<IMG SRC=javascript:alert('XSS')>"), # hex encoding
("<IMG SRC=\"jav
ascript:alert('XSS');\">"), # embedded carriage return
("<IMG SRC=\"jav
ascript:alert('XSS');\">"), # embedded newline
("<IMG SRC=\"jav ascript:alert('XSS');\">"), # embedded tab
("<IMG SRC=\"jav	ascript:alert('XSS');\">"), # embedded encoded tab
("<IMG SRC=\"  javascript:alert('XSS');\">"), # spaces and meta-characters
("<IMG SRC=\"javascript:alert('XSS')\""), # half-open html
("<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">"), # malformed tag
("<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>"), # non-alpha-non-digits
("<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>"), # non-alpha-non-digits
("<<SCRIPT>alert(\"XSS\");//<</SCRIPT>"), # extraneous open brackets
("<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >"), # non-closing script tags
("<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">"), # input image
("<BODY BACKGROUND=\"javascript:alert('XSS')\">"), # body image
("<IMG DYNSRC=\"javascript:alert('XSS')\">"), # img dynsrc
("<IMG LOWSRC=\"javascript:alert('XSS')\">"), # img lowsrc
("<TABLE BACKGROUND=\"javascript:alert('XSS')\">"), # table
("<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">"), # td
("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"), # div background
("<DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\">"), # div background with unicoded exploit
("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"), # div background + extra characters
("<IMG SRC='vbscript:msgbox(\"XSS\")'>"), # VBscrip in an image
("<BODY ONLOAD=alert('XSS')>"), # event handler
("<BR SIZE=\"&{alert('XSS')}\>"), # & javascript includes
("<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">"), # style sheet
("<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">"), # remote style sheet
("<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>"), # remote style sheet 2
("<META HTTP-EQUIV=\"Link\" Content=\"<http://ha.ckers.org/xss.css>; REL=stylesheet\">"), # remote style sheet 3
("<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>"), # remote style sheet 4
("<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">"), # style attribute using a comment to break up expression
]
for content in cases:
html = html_sanitize(content)
self.assertNotIn('javascript', html, 'html_sanitize did not remove a malicious javascript')
self.assertTrue('ha.ckers.org' not in html or 'http://ha.ckers.org/xss.css' in html, 'html_sanitize did not remove a malicious code in %s (%s)' % (content, html))
content = "<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->" # down-level hidden block
self.assertEquals(html_sanitize(content, silent=False), '')
def test_basic_sanitizer(self):
cases = [
("yop", "<p>yop</p>"), # simple
("lala<p>yop</p>xxx", "<p>lala</p><p>yop</p>xxx"), # trailing text
("Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci",
u"<p>Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci</p>"), # unicode
]
for content, expected in cases:
html = html_sanitize(content)
self.assertEqual(html, expected, 'html_sanitize is broken')
def test_quote_signature(self):
test_data = [
(
"""<div>Hello<pre>--<br />Administrator</pre></div>""",
["<pre data-o-mail-quote=\"1\">--", "<br data-o-mail-quote=\"1\">"],
)
]
for test, in_lst in test_data:
new_html = html_sanitize(test)
for text in in_lst:
self.assertIn(text, new_html)
def test_sanitize_escape_emails_cite(self):
not_emails = [
'<blockquote cite="mid:CAEJSRZvWvud8c6Qp=wfNG6O1+wK3i_jb33qVrF7XyrgPNjnyUA@mail.gmail.com" type="cite">cat</blockquote>'
]
for email in not_emails:
sanitized = html_sanitize(email)
self.assertNotIn(cgi.escape(email), sanitized,
'html_sanitize stripped emails of original html')
self.assertIn(
'<blockquote cite="mid:CAEJSRZvWvud8c6Qp=wfNG6O1+wK3i_jb33qVrF7XyrgPNjnyUA@mail.gmail.com"',
sanitized, 'html_sanitize escaped valid address-like')
def test_html(self):
sanitized_html = html_sanitize(HTML_SOURCE)
for tag in [
'<font>', '<div>', '<b>', '<i>', '<u>', '<strike>', '<li>',
'<blockquote>', '<a href'
]:
self.assertIn(tag, sanitized_html,
'html_sanitize stripped too much of original html')
for attr in ['style', 'javascript']:
self.assertNotIn(
attr, sanitized_html,
'html_sanitize did not remove enough unwanted attributes')
def test_quote_signature(self):
test_data = [(
"""<div>Hello<pre>--<br />Administrator</pre></div>""",
[
"<pre data-o-mail-quote=\"1\">--",
"<br data-o-mail-quote=\"1\">"
],
)]
for test, in_lst in test_data:
new_html = html_sanitize(test)
for text in in_lst:
self.assertIn(text, new_html)
def test_html(self):
sanitized_html = html_sanitize(test_mail_examples.MISC_HTML_SOURCE)
for tag in [
'<div', '<b', '<i', '<u', '<strike', '<li', '<blockquote',
'<a href'
]:
self.assertIn(tag, sanitized_html,
'html_sanitize stripped too much of original html')
for attr in ['javascript']:
self.assertNotIn(
attr, sanitized_html,
'html_sanitize did not remove enough unwanted attributes')
def _get_desc(self, cr, uid, ids, field_name=None, arg=None, context=None):
res = dict.fromkeys(ids, '')
for module in self.browse(cr, uid, ids, context=context):
path = get_module_resource(module.name, 'static/description/index.html')
if path:
with tools.file_open(path, 'rb') as desc_file:
doc = desc_file.read()
html = lxml.html.document_fromstring(doc)
for element, attribute, link, pos in html.iterlinks():
if element.get('src') and not '//' in element.get('src') and not 'static/' in element.get('src'):
element.set('src', "/%s/static/description/%s" % (module.name, element.get('src')))
res[module.id] = html_sanitize(lxml.html.tostring(html))
else:
overrides = {
'embed_stylesheet': False,
'doctitle_xform': False,
'output_encoding': 'unicode',
'xml_declaration': False,
}
output = publish_string(source=module.description or '', settings_overrides=overrides, writer=MyWriter())
res[module.id] = html_sanitize(output)
return res
def test_mako(self):
cases = [
('''<p>Some text</p>
<% set signup_url = object.get_signup_url() %>
% if signup_url:
<p>
You can access this document and pay online via our Customer Portal:
</p>''', '''<p>Some text</p>
<% set signup_url = object.get_signup_url() %>
% if signup_url:
<p>
You can access this document and pay online via our Customer Portal:
</p>''')
]
for content, expected in cases:
html = html_sanitize(content, silent=False)
self.assertEqual(html, expected, 'html_sanitize: broken mako management')
def message_update(self, msg_dict, update_vals=None):
""" Override to update the support ticket according to the email. """
body_short = tools.html_sanitize(msg_dict['body'])
#body_short = tools.html_email_clean(msg_dict['body'], shorten=True, remove=True)
#Add to message history to keep HTML clean
self.conversation_history.create({'ticket_id': self.id, 'by': 'customer', 'content': body_short })
#If the to email address is to the customer then it must be a staff member
if msg_dict.get('to') == self.email:
change_state = self.env['ir.model.data'].get_object('website_support','website_ticket_state_staff_replied')
else:
change_state = self.env['ir.model.data'].get_object('website_support','website_ticket_state_customer_replied')
self.state = change_state.id
return super(WebsiteSupportTicket, self).message_update(msg_dict, update_vals=update_vals)
def test_quote_thunderbird(self):
html = html_sanitize(test_mail_examples.QUOTE_THUNDERBIRD_1)
for ext in test_mail_examples.QUOTE_THUNDERBIRD_1_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.QUOTE_THUNDERBIRD_1_OUT:
self.assertIn('<span data-o-mail-quote="1">%s</span>' % cgi.escape(ext.decode('utf-8')), html)
def generate_email(self, res_ids, fields=None):
"""Generates an email from the template for given the given model based on
records given by res_ids.
:param template_id: id of the template to render.
:param res_id: id of the record to use for rendering the template (model
is taken from template definition)
:returns: a dict containing all relevant fields for creating a new
mail.mail entry, with one extra key ``attachments``, in the
format [(report_name, data)] where data is base64 encoded.
"""
self.ensure_one()
multi_mode = True
if isinstance(res_ids, (int, long)):
res_ids = [res_ids]
multi_mode = False
if fields is None:
fields = ['subject', 'body_html', 'email_from', 'email_to', 'partner_to', 'email_cc', 'reply_to']
res_ids_to_templates = self.get_email_template_batch(res_ids)
# templates: res_id -> template; template -> res_ids
templates_to_res_ids = {}
for res_id, template in res_ids_to_templates.iteritems():
templates_to_res_ids.setdefault(template, []).append(res_id)
results = dict()
for template, template_res_ids in templates_to_res_ids.iteritems():
Template = self.env['mail.template']
# generate fields value for all res_ids linked to the current template
if template.lang:
Template = Template.with_context(lang=template._context.get('lang'))
for field in fields:
generated_field_values = Template.render_template(
getattr(template, field), template.model, template_res_ids,
post_process=(field == 'body_html'))
for res_id, field_value in generated_field_values.iteritems():
results.setdefault(res_id, dict())[field] = field_value
# compute recipients
if any(field in fields for field in ['email_to', 'partner_to', 'email_cc']):
results = template.generate_recipients(results, template_res_ids)
# update values for all res_ids
for res_id in template_res_ids:
values = results[res_id]
# body: add user signature, sanitize
if 'body_html' in fields and template.user_signature:
signature = self.env.user.signature
if signature:
values['body_html'] = tools.append_content_to_html(values['body_html'], signature, plaintext=False)
if values.get('body_html'):
values['body'] = tools.html_sanitize(values['body_html'])
# technical settings
values.update(
mail_server_id=template.mail_server_id.id or False,
auto_delete=template.auto_delete,
model=template.model,
res_id=res_id or False,
attachment_ids=[attach.id for attach in template.attachment_ids],
)
# Add report in attachments: generate once for all template_res_ids
if template.report_template:
for res_id in template_res_ids:
attachments = []
report_name = self.render_template(template.report_name, template.model, res_id)
report = template.report_template
report_service = report.report_name
if report.report_type in ['qweb-html', 'qweb-pdf']:
result, format = self.pool['report'].get_pdf(self._cr, self._uid, [res_id], report_service, context=Template._context), 'pdf'
else:
result, format = odoo_report.render_report(self._cr, self._uid, [res_id], report_service, {'model': template.model}, Template._context)
# TODO in trunk, change return format to binary to match message_post expected format
result = base64.b64encode(result)
if not report_name:
report_name = 'report.' + report_service
ext = "." + format
if not report_name.endswith(ext):
report_name += ext
attachments.append((report_name, result))
results[res_id]['attachments'] = attachments
return multi_mode and results or results[res_ids[0]]
def test_quote_thunderbird_html(self):
html = html_sanitize(test_mail_examples.QUOTE_THUNDERBIRD_HTML)
for ext in test_mail_examples.QUOTE_THUNDERBIRD_HTML_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.QUOTE_THUNDERBIRD_HTML_OUT:
self.assertIn(ext, html)
def test_quote_bugs(self):
html = html_sanitize(test_mail_examples.BUG1)
for ext in test_mail_examples.BUG_1_IN:
self.assertIn(ext, html)
for ext in test_mail_examples.BUG_1_OUT:
self.assertIn('<span data-o-mail-quote="1">%s</span>' % cgi.escape(ext.decode('utf-8')), html)
def test_html(self):
sanitized_html = html_sanitize(test_mail_examples.MISC_HTML_SOURCE)
for tag in ['<div', '<b', '<i', '<u', '<strike', '<li', '<blockquote', '<a href']:
self.assertIn(tag, sanitized_html, 'html_sanitize stripped too much of original html')
for attr in ['javascript']:
self.assertNotIn(attr, sanitized_html, 'html_sanitize did not remove enough unwanted attributes')
def generate_email_batch(self, cr, uid, template_id, res_ids, context=None, fields=None):
"""Generates an email from the template for given the given model based on
records given by res_ids.
:param template_id: id of the template to render.
:param res_id: id of the record to use for rendering the template (model
is taken from template definition)
:returns: a dict containing all relevant fields for creating a new
mail.mail entry, with one extra key ``attachments``, in the
format [(report_name, data)] where data is base64 encoded.
"""
if context is None:
context = {}
if fields is None:
fields = ["subject", "body_html", "email_from", "email_to", "partner_to", "email_cc", "reply_to"]
report_xml_pool = self.pool.get("ir.actions.report.xml")
res_ids_to_templates = self.get_email_template_batch(cr, uid, template_id, res_ids, context)
# templates: res_id -> template; template -> res_ids
templates_to_res_ids = {}
for res_id, template in res_ids_to_templates.iteritems():
templates_to_res_ids.setdefault(template, []).append(res_id)
results = dict()
for template, template_res_ids in templates_to_res_ids.iteritems():
# generate fields value for all res_ids linked to the current template
for field in fields:
generated_field_values = self.render_template_batch(
cr,
uid,
getattr(template, field),
template.model,
template_res_ids,
post_process=(field == "body_html"),
context=context,
)
for res_id, field_value in generated_field_values.iteritems():
results.setdefault(res_id, dict())[field] = field_value
# compute recipients
results = self.generate_recipients_batch(cr, uid, results, template.id, template_res_ids, context=context)
# update values for all res_ids
for res_id in template_res_ids:
values = results[res_id]
# body: add user signature, sanitize
if "body_html" in fields and template.user_signature:
signature = self.pool.get("res.users").browse(cr, uid, uid, context).signature
values["body_html"] = tools.append_content_to_html(values["body_html"], signature, plaintext=False)
if values.get("body_html"):
values["body"] = tools.html_sanitize(values["body_html"])
# technical settings
values.update(
mail_server_id=template.mail_server_id.id or False,
auto_delete=template.auto_delete,
model=template.model,
res_id=res_id or False,
attachment_ids=[attach.id for attach in template.attachment_ids],
)
# Add report in attachments: generate once for all template_res_ids
if template.report_template:
for res_id in template_res_ids:
attachments = []
report_name = self.render_template(
cr, uid, template.report_name, template.model, res_id, context=context
)
report = report_xml_pool.browse(cr, uid, template.report_template.id, context)
report_service = report.report_name
# Ensure report is rendered using template's language
ctx = context.copy()
if template.lang:
ctx["lang"] = self.render_template_batch(
cr, uid, template.lang, template.model, [res_id], context
)[
res_id
] # take 0 ?
if report.report_type in ["qweb-html", "qweb-pdf"]:
result, format = (
self.pool["report"].get_pdf(cr, uid, [res_id], report_service, context=ctx),
"pdf",
)
else:
result, format = openerp.report.render_report(
cr, uid, [res_id], report_service, {"model": template.model}, ctx
)
# TODO in trunk, change return format to binary to match message_post expected format
result = base64.b64encode(result)
if not report_name:
report_name = "report." + report_service
ext = "." + format
if not report_name.endswith(ext):
report_name += ext
attachments.append((report_name, result))
results[res_id]["attachments"] = attachments
return results
def generate_email_batch(self, cr, uid, template_id, res_ids, context=None, fields=None):
"""Generates an email from the template for given the given model based on
records given by res_ids.
:param template_id: id of the template to render.
:param res_id: id of the record to use for rendering the template (model
is taken from template definition)
:returns: a dict containing all relevant fields for creating a new
mail.mail entry, with one extra key ``attachments``, in the
format expected by :py:meth:`mail_thread.message_post`.
"""
if context is None:
context = {}
if fields is None:
fields = ['subject', 'body_html', 'email_from', 'email_to', 'partner_to', 'email_cc', 'reply_to']
report_xml_pool = self.pool.get('ir.actions.report.xml')
res_ids_to_templates = self.get_email_template_batch(cr, uid, template_id, res_ids, context)
# templates: res_id -> template; template -> res_ids
templates_to_res_ids = {}
for res_id, template in res_ids_to_templates.iteritems():
templates_to_res_ids.setdefault(template, []).append(res_id)
results = dict()
for template, template_res_ids in templates_to_res_ids.iteritems():
# generate fields value for all res_ids linked to the current template
for field in ['subject', 'body_html', 'email_from', 'email_to', 'partner_to', 'email_cc', 'reply_to']:
generated_field_values = self.render_template_batch(cr, uid, getattr(template, field), template.model, template_res_ids, context=context)
for res_id, field_value in generated_field_values.iteritems():
results.setdefault(res_id, dict())[field] = field_value
# update values for all res_ids
for res_id in template_res_ids:
values = results[res_id]
if template.user_signature:
signature = self.pool.get('res.users').browse(cr, uid, uid, context).signature
values['body_html'] = tools.append_content_to_html(values['body_html'], signature)
if values['body_html']:
values['body'] = tools.html_sanitize(values['body_html'])
values.update(
mail_server_id=template.mail_server_id.id or False,
auto_delete=template.auto_delete,
model=template.model,
res_id=res_id or False,
attachment_ids=[attach.id for attach in template.attachment_ids],
)
# Add report in attachments: generate once for all template_res_ids
if template.report_template:
for res_id in template_res_ids:
attachments = []
report_name = self.render_template(cr, uid, template.report_name, template.model, res_id, context=context)
report_service = report_xml_pool.browse(cr, uid, template.report_template.id, context).report_name
# Ensure report is rendered using template's language
ctx = context.copy()
if template.lang:
ctx['lang'] = self.render_template_batch(cr, uid, template.lang, template.model, [res_id], context)[res_id] # take 0 ?
result, format = openerp.report.render_report(cr, uid, [res_id], report_service, {'model': template.model}, ctx)
result = base64.b64encode(result)
if not report_name:
report_name = 'report.' + report_service
ext = "." + format
if not report_name.endswith(ext):
report_name += ext
attachments.append((report_name, result))
results[res_id]['attachments'] = attachments
return results
