def test_style_parsing(self): test_data = [ ( '<span style="position: fixed; top: 0px; left: 50px; width: 40%; height: 50%; background-color: red;">Coin coin </span>', ['background-color: red', 'Coin coin'], ['position', 'top', 'left'] ), ( """<div style='before: "Email Address; coincoin cheval: lapin"; font-size: 30px; max-width: 100%; after: "Not sure this; means: anything ?#ùµ" ; some-property: 2px; top: 3'>youplaboum</div>""", ['font-size: 30px', 'youplaboum'], ['some-property', 'top', 'cheval'] ), ( '<span style="width">Coincoin</span>', [], ['width'] ) ] for test, in_lst, out_lst in test_data: new_html = html_sanitize(test, sanitize_attributes=False, sanitize_style=True, strip_style=False, strip_classes=False) for text in in_lst: self.assertIn(text, new_html) for text in out_lst: self.assertNotIn(text, new_html) # style should not be sanitized if removed new_html = html_sanitize(test_data[0][0], sanitize_attributes=False, strip_style=True, strip_classes=False) self.assertEqual(new_html, u'<span>Coin coin </span>')
def test_misc(self): # False / void should not crash html = html_sanitize('') self.assertEqual(html, '') html = html_sanitize(False) self.assertEqual(html, False) # Message with xml and doctype tags don't crash html = html_sanitize(u'<?xml version="1.0" encoding="iso-8859-1"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\n "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\n<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">\n <head>\n <title>404 - Not Found</title>\n </head>\n <body>\n <h1>404 - Not Found</h1>\n </body>\n</html>\n') self.assertNotIn('encoding', html) self.assertNotIn('<title>404 - Not Found</title>', html) self.assertIn('<h1>404 - Not Found</h1>', html)
def test_quote_text(self): html = html_sanitize(test_mail_examples.TEXT_1) for ext in test_mail_examples.TEXT_1_IN: self.assertIn(ext, html) for ext in test_mail_examples.TEXT_1_OUT: self.assertIn(u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(ext), html) html = html_sanitize(test_mail_examples.TEXT_2) for ext in test_mail_examples.TEXT_2_IN: self.assertIn(ext, html) for ext in test_mail_examples.TEXT_2_OUT: self.assertIn(u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(ext), html)
def test_quote_hotmail_html(self): html = html_sanitize(test_mail_examples.QUOTE_HOTMAIL_HTML) for ext in test_mail_examples.QUOTE_HOTMAIL_HTML_IN: self.assertIn(ext, html) for ext in test_mail_examples.QUOTE_HOTMAIL_HTML_OUT: self.assertIn(ext, html) html = html_sanitize(test_mail_examples.HOTMAIL_1) for ext in test_mail_examples.HOTMAIL_1_IN: self.assertIn(ext, html) for ext in test_mail_examples.HOTMAIL_1_OUT: self.assertIn(ext, html)
def test_quote_basic_text(self): test_data = [ ( """This is Sparta!\n--\nAdministrator\n+9988776655""", ['This is Sparta!'], ['\n--\nAdministrator\n+9988776655'] ), ( """<p>This is Sparta!\n--\nAdministrator</p>""", [], ['\n--\nAdministrator'] ), ( """<p>This is Sparta!<br/>--<br>Administrator</p>""", ['This is Sparta!'], [] ), ( """This is Sparta!\n>Ah bon ?\nCertes\n> Chouette !\nClair""", ['This is Sparta!', 'Certes', 'Clair'], ['\n>Ah bon ?', '\n> Chouette !'] ) ] for test, in_lst, out_lst in test_data: new_html = html_sanitize(test) for text in in_lst: self.assertIn(text, new_html) for text in out_lst: self.assertIn(u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(text), new_html)
def convert_answer_to_comment(self): """ Tools to convert an answer (forum.post) to a comment (mail.message). The original post is unlinked and a new comment is posted on the question using the post create_uid as the comment's author. """ self.ensure_one() if not self.parent_id: return self.env['mail.message'] # karma-based action check: use the post field that computed own/all value if not self.can_comment_convert: raise KarmaError('Not enough karma to convert an answer to a comment') # post the message question = self.parent_id values = { 'author_id': self.sudo().create_uid.partner_id.id, # use sudo here because of access to res.users model 'body': tools.html_sanitize(self.content, sanitize_attributes=True, strip_style=True, strip_classes=True), 'message_type': 'comment', 'subtype': 'mail.mt_comment', 'date': self.create_date, } new_message = question.with_context(mail_create_nosubscribe=True).message_post(**values) # unlink the original answer, using SUPERUSER_ID to avoid karma issues self.sudo().unlink() return new_message
def send_mail_test(self): self.ensure_one() mails = self.env['mail.mail'] mailing = self.mass_mailing_id test_emails = tools.email_split(self.email_to) mass_mail_layout = self.env.ref('mass_mailing.mass_mailing_mail_layout') for test_mail in test_emails: # Convert links in absolute URLs before the application of the shortener mailing.write({'body_html': self.env['mail.thread']._replace_local_links(mailing.body_html)}) body = tools.html_sanitize(mailing.body_html, sanitize_attributes=True, sanitize_style=True) mail_values = { 'email_from': mailing.email_from, 'reply_to': mailing.reply_to, 'email_to': test_mail, 'subject': mailing.name, 'body_html': mass_mail_layout.render({'body': body}, engine='ir.qweb', minimal_qcontext=True), 'notification': True, 'mailing_id': mailing.id, 'attachment_ids': [(4, attachment.id) for attachment in mailing.attachment_ids], 'auto_delete': True, } mail = self.env['mail.mail'].create(mail_values) mails |= mail mails.send() return True
def compute_tips(self, company, user): tip = self.env['digest.tip'].search([('user_ids', '!=', user.id), '|', ('group_id', 'in', user.groups_id.ids), ('group_id', '=', False)], limit=1) if not tip: return False tip.user_ids = [4, user.id] body = tools.html_sanitize(tip.tip_description) tip_description = self.env['mail.template']._render_template(body, 'digest.tip', self.id) return tip_description
def test_sanitize_unescape_emails(self): not_emails = [ '<blockquote cite="mid:CAEJSRZvWvud8c6Qp=wfNG6O1+wK3i_jb33qVrF7XyrgPNjnyUA@mail.gmail.com" type="cite">cat</blockquote>', '<img alt="@github-login" class="avatar" src="/web/image/pi" height="36" width="36">'] for email in not_emails: sanitized = html_sanitize(email) left_part = email.split('>')[0] # take only left part, as the sanitizer could add data information on node self.assertNotIn(misc.html_escape(email), sanitized, 'html_sanitize stripped emails of original html') self.assertIn(left_part, sanitized)
def test_sanitize_escape_emails(self): emails = [ "Charles <*****@*****.**>", "Dupuis <'tr/-: ${dupuis#$'@truc.baz.fr>", "Technical <service/[email protected]>", "Div nico <*****@*****.**>" ] for email in emails: self.assertIn(misc.html_escape(email), html_sanitize(email), 'html_sanitize stripped emails of original html')
def test_edi_source(self): html = html_sanitize(test_mail_examples.EDI_LIKE_HTML_SOURCE) self.assertIn( 'font-family: \'Lucida Grande\', Ubuntu, Arial, Verdana, sans-serif;', html, 'html_sanitize removed valid styling') self.assertIn( 'src="https://www.paypal.com/en_US/i/btn/btn_paynowCC_LG.gif"', html, 'html_sanitize removed valid img') self.assertNotIn('</body></html>', html, 'html_sanitize did not remove extra closing tags')
def test_evil_malicious_code(self): # taken from https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Tests cases = [ ("<IMG SRC=javascript:alert('XSS')>"), # no quotes and semicolons ("<IMG SRC=javascript:alert('XSS')>"), # UTF-8 Unicode encoding ("<IMG SRC=javascript:alert('XSS')>"), # hex encoding ("<IMG SRC=\"jav
ascript:alert('XSS');\">"), # embedded carriage return ("<IMG SRC=\"jav
ascript:alert('XSS');\">"), # embedded newline ("<IMG SRC=\"jav ascript:alert('XSS');\">"), # embedded tab ("<IMG SRC=\"jav	ascript:alert('XSS');\">"), # embedded encoded tab ("<IMG SRC=\"  javascript:alert('XSS');\">"), # spaces and meta-characters ("<IMG SRC=\"javascript:alert('XSS')\""), # half-open html ("<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">"), # malformed tag ("<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>"), # non-alpha-non-digits ("<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>"), # non-alpha-non-digits ("<<SCRIPT>alert(\"XSS\");//<</SCRIPT>"), # extraneous open brackets ("<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >"), # non-closing script tags ("<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">"), # input image ("<BODY BACKGROUND=\"javascript:alert('XSS')\">"), # body image ("<IMG DYNSRC=\"javascript:alert('XSS')\">"), # img dynsrc ("<IMG LOWSRC=\"javascript:alert('XSS')\">"), # img lowsrc ("<TABLE BACKGROUND=\"javascript:alert('XSS')\">"), # table ("<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">"), # td ("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"), # div background ("<DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\">"), # div background with unicoded exploit ("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"), # div background + extra characters ("<IMG SRC='vbscript:msgbox(\"XSS\")'>"), # VBscrip in an image ("<BODY ONLOAD=alert('XSS')>"), # event handler ("<BR SIZE=\"&{alert('XSS')}\>"), # & javascript includes ("<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">"), # style sheet ("<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">"), # remote style sheet ("<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>"), # remote style sheet 2 ("<META HTTP-EQUIV=\"Link\" Content=\"<http://ha.ckers.org/xss.css>; REL=stylesheet\">"), # remote style sheet 3 ("<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>"), # remote style sheet 4 ("<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">"), # style attribute using a comment to break up expression ] for content in cases: html = html_sanitize(content) self.assertNotIn('javascript', html, 'html_sanitize did not remove a malicious javascript') self.assertTrue('ha.ckers.org' not in html or 'http://ha.ckers.org/xss.css' in html, 'html_sanitize did not remove a malicious code in %s (%s)' % (content, html)) content = "<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->" # down-level hidden block self.assertEquals(html_sanitize(content, silent=False), '')
def test_basic_sanitizer(self): cases = [ ("yop", "<p>yop</p>"), # simple ("lala<p>yop</p>xxx", "<p>lala</p><p>yop</p>xxx"), # trailing text ("Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci", u"<p>Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci</p>"), # unicode ] for content, expected in cases: html = html_sanitize(content) self.assertEqual(html, expected, 'html_sanitize is broken')
def _compute_description_rst_html(self): for version in self: if version.description_rst: try: output = publish_string( source=version.description_rst, settings_overrides=self._SETTING_OVERRIDES, writer=MyWriter()) except Exception: output =\ "<h1 style='color:red;'>" +\ _("Incorrect RST Description") +\ "</h1>" else: output = html_sanitize( "<h1 style='color:gray;'>" + _("No Version Found") + "</h1>") version.description_rst_html = html_sanitize(output)
def test_quote_signature(self): test_data = [ ( """<div>Hello<pre>--<br />Administrator</pre></div>""", ["<pre data-o-mail-quote=\"1\">--", "<br data-o-mail-quote=\"1\">"], ) ] for test, in_lst in test_data: new_html = html_sanitize(test) for text in in_lst: self.assertIn(text, new_html)
def compute_tips(self, company, user, tips_count=1): tips = self.env['digest.tip'].search([ ('user_ids', '!=', user.id), '|', ('group_id', 'in', user.groups_id.ids), ('group_id', '=', False) ], limit=tips_count) tip_descriptions = [ self.env['mail.render.mixin']._render_template(tools.html_sanitize(tip.tip_description), 'digest.tip', tip.ids, post_process=True)[tip.id] for tip in tips ] tips.user_ids += user return tip_descriptions
def _action_send_statistics(self): """Send an email to the responsible of each finished mailing with the statistics.""" self.kpi_mail_required = False for mailing in self: user = mailing.user_id mailing = mailing.with_context( lang=user.lang or self._context.get('lang')) mailing_type = mailing._get_pretty_mailing_type() link_trackers = self.env['link.tracker'].search([ ('mass_mailing_id', '=', mailing.id) ]).sorted('count', reverse=True) link_trackers_body = self.env['ir.qweb']._render( 'mass_mailing.mass_mailing_kpi_link_trackers', { 'object': mailing, 'link_trackers': link_trackers, 'mailing_type': mailing_type, }, ) rendered_body = self.env['ir.qweb']._render( 'digest.digest_mail_main', { 'body': tools.html_sanitize(link_trackers_body), 'company': user.company_id, 'user': user, 'display_mobile_banner': True, **mailing._prepare_statistics_email_values() }, ) full_mail = self.env['mail.render.mixin']._render_encapsulate( 'digest.digest_mail_layout', rendered_body, ) mail_values = { 'subject': _('24H Stats of %(mailing_type)s "%(mailing_name)s"', mailing_type=mailing._get_pretty_mailing_type(), mailing_name=mailing.subject), 'email_from': user.email_formatted, 'email_to': user.email_formatted, 'body_html': full_mail, 'auto_delete': True, } mail = self.env['mail.mail'].sudo().create(mail_values) mail.send(raise_exception=False)
def rst2html(content): overrides = { 'embed_stylesheet': False, 'doctitle_xform': False, 'output_encoding': 'unicode', 'xml_declaration': False, } output = publish_string(content, settings_overrides=overrides, writer=ReStructuredTextWriter()) return tools.html_sanitize(output)
def _get_desc(self): for module in self: path = modules.get_module_resource(module.name, 'static/description/index.html') if path: with tools.file_open(path, 'rb') as desc_file: doc = desc_file.read() html = lxml.html.document_fromstring(doc) for element, attribute, link, pos in html.iterlinks(): if element.get('src') and not '//' in element.get('src') and not 'static/' in element.get('src'): element.set('src', "/%s/static/description/%s" % (module.name, element.get('src'))) module.description_html = tools.html_sanitize(lxml.html.tostring(html)) else: overrides = { 'embed_stylesheet': False, 'doctitle_xform': False, 'output_encoding': 'unicode', 'xml_declaration': False, } output = publish_string(source=module.description or '', settings_overrides=overrides, writer=MyWriter()) module.description_html = tools.html_sanitize(output)
def message_body(self, msg, strip_style=True): """Return body message prepared for email content. Message's body can contains styles and other stuff that can screw the look and feel of digests' mails. Here we sanitize it if `sanitize_msg_body` is set on the digest. """ if not self.sanitize_msg_body: return msg.body return tools.html_sanitize(msg.body or '', strip_style=strip_style)
def generate_sms(self, res_ids, fields=None): self.ensure_one() multi_mode = True if isinstance(res_ids, pycompat.integer_types): res_ids = [res_ids] multi_mode = False if fields is None: fields = ['body_html'] res_ids_to_templates = self.get_email_template(res_ids) # templates: res_id -> template; template -> res_ids templates_to_res_ids = {} for res_id, template in res_ids_to_templates.items(): templates_to_res_ids.setdefault(template, []).append(res_id) results = dict() for template, template_res_ids in templates_to_res_ids.items(): Template = self.env['sms.template'] # generate fields value for all res_ids linked to the current template if template.lang: Template = Template.with_context( lang=template._context.get('lang') ) for field in fields: Template = Template.with_context(safe=field in {'subject'}) generated_field_values = Template._render_template( getattr(template, field), template.model, template_res_ids, post_process=(field == 'body_html')) for res_id, field_value in generated_field_values.items(): results.setdefault(res_id, dict())[field] = field_value # update values for all res_ids for res_id in template_res_ids: values = results[res_id] # body: add user signature, sanitize if 'body_html' in fields and template.user_signature: signature = self.env.user.signature if signature: values['body_html'] = tools.append_content_to_html( values['body_html'], signature, plaintext=False ) if values.get('body_html'): values['message'] = tools.html_sanitize( values['body_html'] ) # technical settings values.update( model=template.model, res_id=res_id or False, ) return multi_mode and results or results[res_ids[0]]
def test_style_class_only(self): html = html_sanitize(test_mail_examples.REMOVE_CLASS, sanitize_attributes=False, sanitize_style=True, strip_classes=True) for ext in test_mail_examples.REMOVE_CLASS_IN: self.assertIn(ext, html) for ext in test_mail_examples.REMOVE_CLASS_OUT: self.assertNotIn( ext, html, )
def test_html(self): sanitized_html = html_sanitize(test_mail_examples.MISC_HTML_SOURCE) for tag in [ '<div', '<b', '<i', '<u', '<strike', '<li', '<blockquote', '<a href' ]: self.assertIn(tag, sanitized_html, 'html_sanitize stripped too much of original html') for attr in ['javascript']: self.assertNotIn( attr, sanitized_html, 'html_sanitize did not remove enough unwanted attributes')
def compute_tips(self, company, user): tip = self.env['digest.tip'].search( [('user_ids', '!=', user.id), '|', ('group_id', 'in', user.groups_id.ids), ('group_id', '=', False)], limit=1) if not tip: return False tip.user_ids += user body = tools.html_sanitize(tip.tip_description) tip_description = self.env['mail.template']._render_template( body, 'digest.tip', self.id) return tip_description
def _get_desc(self): for module in self: if module.name and module.description: path = modules.get_module_resource( module.name, "static/description/index.html" ) if path: with tools.file_open(path, "rb") as desc_file: doc = desc_file.read() html = lxml.html.document_fromstring(doc) for element, attribute, link, pos in html.iterlinks(): if ( element.get("src") and "//" not in element.get("src") and "static/" not in element.get("src") ): element.set( "src", "/%s/static/description/%s" % (module.name, element.get("src")), ) module.description_html = tools.html_sanitize( lxml.html.tostring(html) ) else: overrides = { "embed_stylesheet": False, "doctitle_xform": False, "output_encoding": "unicode", "xml_declaration": False, "file_insertion_enabled": False, } output = publish_string( source=module.description if not module.application and module.description else "", settings_overrides=overrides, writer=MyWriter(), ) module.description_html = tools.html_sanitize(output)
def generate_document(self, res_ids, fields=None): """Generates an email from the template for given the given model based on records given by res_ids. :param template_id: id of the template to render. :param res_id: id of the record to use for rendering the template (model is taken from template definition) :returns: a dict containing all relevant fields for creating a new mail.mail entry, with one extra key ``attachments``, in the format [(report_name, data)] where data is base64 encoded. """ self.ensure_one() multi_mode = True if isinstance(res_ids, (int, long)): res_ids = [res_ids] multi_mode = False if fields is None: fields = ['body_html'] res_ids_to_templates = self.get_template(res_ids) # templates: res_id -> template; template -> res_ids templates_to_res_ids = {} for res_id, template in res_ids_to_templates.iteritems(): templates_to_res_ids.setdefault(template, []).append(res_id) results = dict() for template, template_res_ids in templates_to_res_ids.iteritems(): Template = self.env['hr.document'] # generate fields value for all res_ids linked to the current template if template.lang: Template = Template.with_context( lang=template._context.get('lang')) for field in fields: Template = Template.with_context(safe=field in {'subject'}) generated_field_values = Template.render_template( getattr(template, field), template.model, template_res_ids, post_process=(field == 'body_html')) for res_id, field_value in generated_field_values.iteritems(): results.setdefault(res_id, dict())[field] = field_value # compute recipients if any(field in fields for field in ['email_to', 'partner_to', 'email_cc']): results = template.generate_recipients(results, template_res_ids) # update values for all res_ids for res_id in template_res_ids: values = results[res_id] if values.get('body_html'): values['body'] = tools.html_sanitize(values['body_html']) return multi_mode and results or results[res_ids[0]]
def default_get(self, fields_list): res = super(SendMailDocument, self).default_get(fields_list) context = self._context if not context.get('install_mode'): res['recipients'] = context['recipients'] template_id = self.browse(context.get('default_template_id')) res['body'] = tools.html_sanitize(template_id.body) res['name'] = template_id.name res['subject'] = template_id.subject res['email_cc'] = '' partner_id = self.env['res.users'].browse(self._uid).partner_id res['sender'] = '%s <%s>' % (partner_id.name, partner_id.email) return res
def test_sanitize_unescape_emails(self): not_emails = [ '<blockquote cite="mid:CAEJSRZvWvud8c6Qp=wfNG6O1+wK3i_jb33qVrF7XyrgPNjnyUA@mail.gmail.com" type="cite">cat</blockquote>', '<img alt="@github-login" class="avatar" src="/web/image/pi" height="36" width="36">' ] for email in not_emails: sanitized = html_sanitize(email) left_part = email.split( '>' )[0] # take only left part, as the sanitizer could add data information on node self.assertNotIn(misc.html_escape(email), sanitized, 'html_sanitize stripped emails of original html') self.assertIn(left_part, sanitized)
def convert_to_cache(self, value, record, validate=True): if value is None or value is False: return False if validate and self.sanitize: value = html_sanitize(value, silent=True, sanitize_tags=self.sanitize_tags, sanitize_attributes=self.sanitize_attributes, sanitize_style=self.sanitize_style, strip_style=self.strip_style, strip_classes=self.strip_classes) if value == '<p><br></p>' or value == '<p></p>': return None return value
def _compute_description(self): module_version_obj = self.env["odoo.module.version"] for module in self: version_ids = module.module_version_ids.ids last_version = module_version_obj.search( [("id", "in", version_ids)], order="organization_serie_id desc", limit=1 ) if last_version: module.description_rst = last_version.description_rst module.description_rst_html = last_version.description_rst_html else: module.description_rst = "" module.description_rst_html = html_sanitize( "<h1 style='color:gray;'>" + _("No Version Found") + "</h1>" )
def mixin_render_template(self, template_xml_id=None, params=None): # Permite compilar una plantilla qweb y obtener el codigo html # :param template_xml_id: # :param params: # :param links: # :return: if params is None: params = {} body = '' if template_xml_id: ActionReport = self.env['ir.actions.report'] body = ActionReport.render_template(template_xml_id, values=params) body = body.decode('utf-8') # Ensure the current document is utf-8 encoded. body = tools.html_sanitize(body) return body
def _compute_description(self): module_version_obj = self.env['odoo.module.version'] for module in self: version_ids = module.module_version_ids.ids last_version = module_version_obj.search( [('id', 'in', version_ids)], order='organization_serie_id desc', limit=1) if last_version: module.description_rst = last_version.description_rst module.description_rst_html = last_version.description_rst_html else: module.description_rst = '' module.description_rst_html = html_sanitize( "<h1 style='color:gray;'>" + _("No Version Found") + "</h1>")
def test_mako(self): cases = [('''<p>Some text</p> <% set signup_url = object.get_signup_url() %> % if signup_url: <p> You can access this document and pay online via our Customer Portal: </p>''', '''<p>Some text</p> <% set signup_url = object.get_signup_url() %> % if signup_url: <p> You can access this document and pay online via our Customer Portal: </p>''')] for content, expected in cases: html = html_sanitize(content, silent=False) self.assertEqual(html, expected, 'html_sanitize: broken mako management')
def send_mail_test(self): self.ensure_one() ctx = dict(self.env.context) ctx.pop('default_state', None) self = self.with_context(ctx) mails_sudo = self.env['mail.mail'].sudo() mailing = self.mass_mailing_id test_emails = tools.email_split(self.email_to) mass_mail_layout = self.env.ref( 'mass_mailing.mass_mailing_mail_layout') for test_mail in test_emails: # Convert links in absolute URLs before the application of the shortener body = self.env['mail.render.mixin']._replace_local_links( mailing.body_html) body = tools.html_sanitize(body, sanitize_attributes=True, sanitize_style=True) mail_values = { 'email_from': mailing.email_from, 'reply_to': mailing.reply_to, 'email_to': test_mail, 'subject': mailing.subject, 'body_html': mass_mail_layout._render({'body': body}, engine='ir.qweb', minimal_qcontext=True), 'notification': True, 'mailing_id': mailing.id, 'attachment_ids': [(4, attachment.id) for attachment in mailing.attachment_ids], 'auto_delete': True, 'mail_server_id': mailing.mail_server_id.id, } mail = self.env['mail.mail'].sudo().create(mail_values) mails_sudo |= mail mails_sudo.send() return True
def message_update(self, msg_dict, update_vals=None): """ Override to update the support ticket according to the email. """ body_short = tools.html_sanitize(msg_dict['body']) #If the to email address is to the customer then it must be a staff member if msg_dict.get('to') == self.email: change_state = self.env['ir.model.data'].get_object('website_support','website_ticket_state_staff_replied') else: change_state = self.env['ir.model.data'].get_object('website_support','website_ticket_state_customer_replied') self.state_id = change_state.id #Add to message history to keep HTML clean self.conversation_history_ids.create({'ticket_id': self.id, 'by': 'customer', 'content': body_short }) return super(WebsiteSupportTicket, self).message_update(msg_dict, update_vals=update_vals)
def test_mako(self): cases = [ ('''<p>Some text</p> <% set signup_url = object.get_signup_url() %> % if signup_url: <p> You can access this document and pay online via our Customer Portal: </p>''', '''<p>Some text</p> <% set signup_url = object.get_signup_url() %> % if signup_url: <p> You can access this document and pay online via our Customer Portal: </p>''') ] for content, expected in cases: html = html_sanitize(content, silent=False) self.assertEqual(html, expected, 'html_sanitize: broken mako management')
def _odoo_values(self, google_event, default_reminders=()): if google_event.is_cancelled(): return {'active': False} alarm_commands = self._odoo_reminders_commands(google_event.reminders.get('overrides') or default_reminders) attendee_commands, partner_commands = self._odoo_attendee_commands(google_event) related_event = self.search([('google_id', '=', google_event.id)], limit=1) name = google_event.summary or related_event and related_event.name or _("(No title)") values = { 'name': name, 'description': google_event.description and tools.html_sanitize(google_event.description), 'location': google_event.location, 'user_id': google_event.owner(self.env).id, 'privacy': google_event.visibility or self.default_get(['privacy'])['privacy'], 'attendee_ids': attendee_commands, 'alarm_ids': alarm_commands, 'recurrency': google_event.is_recurrent() } if partner_commands: # Add partner_commands only if set from Google. The write method on calendar_events will # override attendee commands if the partner_ids command is set but empty. values['partner_ids'] = partner_commands if not google_event.is_recurrence(): values['google_id'] = google_event.id if google_event.is_recurrent() and not google_event.is_recurrence(): # Propagate the follow_recurrence according to the google result values['follow_recurrence'] = google_event.is_recurrence_follower() if google_event.start.get('dateTime'): # starting from python3.7, use the new [datetime, date].fromisoformat method start = parse(google_event.start.get('dateTime')).astimezone(pytz.utc).replace(tzinfo=None) stop = parse(google_event.end.get('dateTime')).astimezone(pytz.utc).replace(tzinfo=None) values['allday'] = False else: start = parse(google_event.start.get('date')) stop = parse(google_event.end.get('date')) - relativedelta(days=1) # Stop date should be exclusive as defined here https://developers.google.com/calendar/v3/reference/events#resource # but it seems that's not always the case for old event if stop < start: stop = parse(google_event.end.get('date')) values['allday'] = True values['start'] = start values['stop'] = stop return values
def generate_email(self, res_ids, fields=None): multi_mode = True if isinstance(res_ids, (int, long)): res_ids = [res_ids] multi_mode = False result = super(MailTemplate, self).generate_email(res_ids, fields=fields) for record_id, this in self.get_email_template(res_ids).iteritems(): if this.body_type == 'qweb' and\ (not fields or 'body_html' in fields): for record in self.env[this.model].browse(record_id): result[record_id]['body_html'] = self.render_post_process( this.body_view_id.render({ 'object': record, 'email_template': this, })) result[record_id]['body'] = tools.html_sanitize( result[record_id]['body_html']) return multi_mode and result or result[res_ids[0]]
def generate_sms(self, res_ids, fields=None): self.ensure_one() multi_mode = True if isinstance(res_ids, (int, long)): res_ids = [res_ids] multi_mode = False if fields is None: fields = ['message'] res_ids_to_templates = self.get_sms_template(res_ids) # templates: res_id -> template; template -> res_ids templates_to_res_ids = {} for res_id, template in res_ids_to_templates.iteritems(): templates_to_res_ids.setdefault(template, []).append(res_id) results = dict() for template, template_res_ids in templates_to_res_ids.iteritems(): Template = self.env['sms.template'] # generate fields value for all res_ids linked to the current template if template.lang: Template = Template.with_context( lang=template._context.get('lang')) for field in fields: Template = Template.with_context(safe=field in {'sender'}) generated_field_values = Template.render_template( getattr(template, field), template.model_id, template_res_ids, post_process=(field == 'message')) for res_id, field_value in generated_field_values.iteritems(): results.setdefault(res_id, dict())[field] = field_value # update values for all res_ids for res_id in template_res_ids: values = results[res_id] if values.get('message'): values['message'] = tools.html_sanitize(values['message']) # technical settings values.update(model_id=template.model_id, res_id=res_id or False) return multi_mode and results or results[res_ids[0]]
def send_mail_test(self): self.ensure_one() mails = self.env['mail.mail'] mailing = self.mass_mailing_id test_emails = tools.email_split(self.email_to) mass_mail_layout = self.env.ref( 'mass_mailing.mass_mailing_mail_layout') for test_mail in test_emails: # Convert links in absolute URLs before the application of the shortener mailing.write({ 'body_html': self.env['mail.thread']._replace_local_links(mailing.body_html) }) body = tools.html_sanitize(mailing.body_html, sanitize_attributes=True, sanitize_style=True) mail_values = { 'email_from': mailing.email_from, 'reply_to': mailing.reply_to, 'email_to': test_mail, 'subject': mailing.name, 'body_html': mass_mail_layout.render({'body': body}, engine='ir.qweb', minimal_qcontext=True), 'notification': True, 'mailing_id': mailing.id, 'attachment_ids': [(4, attachment.id) for attachment in mailing.attachment_ids], 'auto_delete': True, } mail = self.env['mail.mail'].create(mail_values) mails |= mail mails.send() return True
def test_quote_basic_text(self): test_data = [ ("""This is Sparta!\n--\nAdministrator\n+9988776655""", ['This is Sparta!'], ['\n--\nAdministrator\n+9988776655']), ("""<p>This is Sparta!\n--\nAdministrator</p>""", [], ['\n--\nAdministrator']), ("""<p>This is Sparta!<br/>--<br>Administrator</p>""", ['This is Sparta!'], []), ("""This is Sparta!\n>Ah bon ?\nCertes\n> Chouette !\nClair""", ['This is Sparta!', 'Certes', 'Clair'], ['\n>Ah bon ?', '\n> Chouette !']) ] for test, in_lst, out_lst in test_data: new_html = html_sanitize(test) for text in in_lst: self.assertIn(text, new_html) for text in out_lst: self.assertIn( u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(text), new_html)
def test_quote_blockquote(self): html = html_sanitize(test_mail_examples.QUOTE_BLOCKQUOTE) for ext in test_mail_examples.QUOTE_BLOCKQUOTE_IN: self.assertIn(ext, html) for ext in test_mail_examples.QUOTE_BLOCKQUOTE_OUT: self.assertIn(u'<span data-o-mail-quote="1">%s' % misc.html_escape(ext), html)
def test_style_class_only(self): html = html_sanitize(test_mail_examples.REMOVE_CLASS, sanitize_attributes=False, sanitize_style=True, strip_classes=True) for ext in test_mail_examples.REMOVE_CLASS_IN: self.assertIn(ext, html) for ext in test_mail_examples.REMOVE_CLASS_OUT: self.assertNotIn(ext, html,)
def generate_email(self, res_ids, fields=None): """Generates an email from the template for given the given model based on records given by res_ids. :param res_id: id of the record to use for rendering the template (model is taken from template definition) :returns: a dict containing all relevant fields for creating a new mail.mail entry, with one extra key ``attachments``, in the format [(report_name, data)] where data is base64 encoded. """ self.ensure_one() multi_mode = True if isinstance(res_ids, pycompat.integer_types): res_ids = [res_ids] multi_mode = False if fields is None: fields = ['subject', 'body_html', 'email_from', 'email_to', 'partner_to', 'email_cc', 'reply_to', 'scheduled_date'] res_ids_to_templates = self.get_email_template(res_ids) # templates: res_id -> template; template -> res_ids templates_to_res_ids = {} for res_id, template in res_ids_to_templates.items(): templates_to_res_ids.setdefault(template, []).append(res_id) results = dict() for template, template_res_ids in templates_to_res_ids.items(): Template = self.env['mail.template'] # generate fields value for all res_ids linked to the current template if template.lang: Template = Template.with_context(lang=template._context.get('lang')) for field in fields: Template = Template.with_context(safe=field in {'subject'}) generated_field_values = Template.render_template( getattr(template, field), template.model, template_res_ids, post_process=(field == 'body_html')) for res_id, field_value in generated_field_values.items(): results.setdefault(res_id, dict())[field] = field_value # compute recipients if any(field in fields for field in ['email_to', 'partner_to', 'email_cc']): results = template.generate_recipients(results, template_res_ids) # update values for all res_ids for res_id in template_res_ids: values = results[res_id] # body: add user signature, sanitize if 'body_html' in fields and template.user_signature: signature = self.env.user.signature if signature: values['body_html'] = tools.append_content_to_html(values['body_html'], signature, plaintext=False) if values.get('body_html'): values['body'] = tools.html_sanitize(values['body_html']) # technical settings values.update( mail_server_id=template.mail_server_id.id or False, auto_delete=template.auto_delete, model=template.model, res_id=res_id or False, attachment_ids=[attach.id for attach in template.attachment_ids], ) # Add report in attachments: generate once for all template_res_ids if template.report_template: for res_id in template_res_ids: attachments = [] report_name = self.render_template(template.report_name, template.model, res_id) report = template.report_template report_service = report.report_name if report.report_type not in ['qweb-html', 'qweb-pdf']: raise UserError(_('Unsupported report type %s found.') % report.report_type) result, format = report.render_qweb_pdf([res_id]) # TODO in trunk, change return format to binary to match message_post expected format result = base64.b64encode(result) if not report_name: report_name = 'report.' + report_service ext = "." + format if not report_name.endswith(ext): report_name += ext attachments.append((report_name, result)) results[res_id]['attachments'] = attachments return multi_mode and results or results[res_ids[0]]
def generate_email(self, res_ids, fields=None): """Generates an email from the template for given the given model based on records given by res_ids. :param template_id: id of the template to render. :param res_id: id of the record to use for rendering the template (model is taken from template definition) :returns: a dict containing all relevant fields for creating a new mail.mail entry, with one extra key ``attachments``, in the format [(report_name, data)] where data is base64 encoded. """ self.ensure_one() multi_mode = True if isinstance(res_ids, (int, long)): res_ids = [res_ids] multi_mode = False if fields is None: fields = [ "subject", "body_html", "email_from", "email_to", "partner_to", "email_cc", "reply_to", "scheduled_date", ] res_ids_to_templates = self.get_email_template(res_ids) # templates: res_id -> template; template -> res_ids templates_to_res_ids = {} for res_id, template in res_ids_to_templates.iteritems(): templates_to_res_ids.setdefault(template, []).append(res_id) results = dict() for template, template_res_ids in templates_to_res_ids.iteritems(): Template = self.env["mail.template"] # generate fields value for all res_ids linked to the current template if template.lang: Template = Template.with_context(lang=template._context.get("lang")) for field in fields: Template = Template.with_context(safe=field in {"subject"}) generated_field_values = Template.render_template( getattr(template, field), template.model, template_res_ids, post_process=(field == "body_html") ) for res_id, field_value in generated_field_values.iteritems(): results.setdefault(res_id, dict())[field] = field_value # compute recipients if any(field in fields for field in ["email_to", "partner_to", "email_cc"]): results = template.generate_recipients(results, template_res_ids) # update values for all res_ids for res_id in template_res_ids: values = results[res_id] # body: add user signature, sanitize if "body_html" in fields and template.user_signature: signature = self.env.user.signature if signature: values["body_html"] = tools.append_content_to_html( values["body_html"], signature, plaintext=False ) if values.get("body_html"): values["body"] = tools.html_sanitize(values["body_html"]) # technical settings values.update( mail_server_id=template.mail_server_id.id or False, auto_delete=template.auto_delete, model=template.model, res_id=res_id or False, attachment_ids=[attach.id for attach in template.attachment_ids], ) # Add report in attachments: generate once for all template_res_ids if template.report_template and not "report_template_in_attachment" in self.env.context: for res_id in template_res_ids: attachments = [] report_name = self.render_template(template.report_name, template.model, res_id) report = template.report_template report_service = report.report_name if report.report_type in ["qweb-html", "qweb-pdf"]: result, format = Template.env["report"].get_pdf([res_id], report_service), "pdf" else: result, format = odoo_report.render_report( self._cr, self._uid, [res_id], report_service, {"model": template.model}, Template._context ) # TODO in trunk, change return format to binary to match message_post expected format result = base64.b64encode(result) if not report_name: report_name = "report." + report_service ext = "." + format if not report_name.endswith(ext): report_name += ext attachments.append((report_name, result)) results[res_id]["attachments"] = attachments return multi_mode and results or results[res_ids[0]]
def test_quote_thunderbird_html(self): html = html_sanitize(test_mail_examples.QUOTE_THUNDERBIRD_HTML) for ext in test_mail_examples.QUOTE_THUNDERBIRD_HTML_IN: self.assertIn(ext, html) for ext in test_mail_examples.QUOTE_THUNDERBIRD_HTML_OUT: self.assertIn(ext, html)
def test_quote_thunderbird(self): html = html_sanitize(test_mail_examples.QUOTE_THUNDERBIRD_1) for ext in test_mail_examples.QUOTE_THUNDERBIRD_1_IN: self.assertIn(ext, html) for ext in test_mail_examples.QUOTE_THUNDERBIRD_1_OUT: self.assertIn(u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(ext), html)
def test_quote_blockquote(self): html = html_sanitize(test_mail_examples.QUOTE_BLOCKQUOTE) for ext in test_mail_examples.QUOTE_BLOCKQUOTE_IN: self.assertIn(ext, html) for ext in test_mail_examples.QUOTE_BLOCKQUOTE_OUT: self.assertIn('<span data-o-mail-quote="1">%s' % cgi.escape(ext.decode('utf-8')), html)
def test_html(self): sanitized_html = html_sanitize(test_mail_examples.MISC_HTML_SOURCE) for tag in ['<div', '<b', '<i', '<u', '<strike', '<li', '<blockquote', '<a href']: self.assertIn(tag, sanitized_html, 'html_sanitize stripped too much of original html') for attr in ['javascript']: self.assertNotIn(attr, sanitized_html, 'html_sanitize did not remove enough unwanted attributes')
def test_quote_gmail(self): html = html_sanitize(test_mail_examples.GMAIL_1) for ext in test_mail_examples.GMAIL_1_IN: self.assertIn(ext, html) for ext in test_mail_examples.GMAIL_1_OUT: self.assertIn('<span data-o-mail-quote="1">%s</span>' % cgi.escape(ext), html)
def test_quote_bugs(self): html = html_sanitize(test_mail_examples.BUG1) for ext in test_mail_examples.BUG_1_IN: self.assertIn(ext, html) for ext in test_mail_examples.BUG_1_OUT: self.assertIn('<span data-o-mail-quote="1">%s</span>' % cgi.escape(ext.decode('utf-8')), html)
def test_cid_with_at(self): img_tag = '<img src="@">' sanitized = html_sanitize(img_tag, sanitize_tags=False, strip_classes=True) self.assertEqual(img_tag, sanitized, "img with can have cid containing @ and shouldn't be escaped")