def execute(): for product_bundle in dataent.get_all('Product Bundle'): doc = dataent.get_doc('Product Bundle', product_bundle.name) for item in doc.items: if item.description: description = sanitize_html(item.description) item.db_set('description', description, update_modified=False)
def get_context(context): context.no_cache = 1 if dataent.form_dict.q: query = str(utils.escape(sanitize_html(dataent.form_dict.q))) context.title = _('Search Results for ') context.query = query context.route = '/search' context.update(get_search_results(query)) else: context.title = _('Search')
def get_list_context(context=None): list_context = dataent._dict( template="templates/includes/blog/blog.html", get_list=get_blog_list, hide_filters=True, children=get_children(), # show_search = True, title=_('Blog')) category = sanitize_html(dataent.local.form_dict.blog_category or dataent.local.form_dict.category) if category: category_title = get_blog_category(category) list_context.sub_title = _("Posts filed under {0}").format( category_title) list_context.title = category_title elif dataent.local.form_dict.blogger: blogger = dataent.db.get_value( "Blogger", {"name": dataent.local.form_dict.blogger}, "full_name") list_context.sub_title = _("Posts by {0}").format(blogger) list_context.title = blogger elif dataent.local.form_dict.txt: list_context.sub_title = _('Filtered by "{0}"').format( sanitize_html(dataent.local.form_dict.txt)) if list_context.sub_title: list_context.parents = [{ "name": _("Home"), "route": "/" }, { "name": "Blog", "route": "/blog" }] else: list_context.parents = [{"name": _("Home"), "route": "/"}] list_context.update( dataent.get_doc("Blog Settings", "Blog Settings").as_dict(no_default_fields=True)) return list_context
def get_context(context): context.no_cache = 1 if dataent.form_dict.q: query = str(utils.escape(sanitize_html(dataent.form_dict.q))) context.title = _('Help Results for') context.query = query context.route = '/search_help' d = dataent._dict() d.results_sections = get_help_results_sections(query) context.update(d) else: context.title = _('Docs Search')
def _sanitize_content(self): """Sanitize HTML and Email in field values. Used to prevent XSS. - Ignore if 'Ignore XSS Filter' is checked or fieldtype is 'Code' """ if dataent.flags.in_install: return for fieldname, value in self.get_valid_dict().items(): if not value or not isinstance(value, string_types): continue value = dataent.as_unicode(value) if (u"<" not in value and u">" not in value): # doesn't look like html so no need continue elif "<!-- markdown -->" in value and not ("<script" in value or "javascript:" in value): # should be handled separately via the markdown converter function continue df = self.meta.get_field(fieldname) sanitized_value = value if df and df.get("fieldtype") in ( "Data", "Code", "Small Text") and df.get("options") == "Email": sanitized_value = sanitize_email(value) elif df and ( df.get("ignore_xss_filter") or (df.get("fieldtype") == "Code" and df.get("options") != "Email") or df.get("fieldtype") in ("Attach", "Attach Image", "Barcode") # cancelled and submit but not update after submit should be ignored or self.docstatus == 2 or (self.docstatus == 1 and not df.get("allow_on_submit"))): continue else: sanitized_value = sanitize_html( value, linkify=df.fieldtype == 'Text Editor') self.set(fieldname, sanitized_value)
def insert_communication(self, msg, args={}): if isinstance(msg, list): raw, uid, seen = msg else: raw = msg uid = -1 seen = 0 if args.get("uid", -1): uid = args.get("uid", -1) if args.get("seen", 0): seen = args.get("seen", 0) email = Email(raw) if email.from_email == self.email_id and not email.mail.get("Reply-To"): # gmail shows sent emails in inbox # and we don't want emails sent by us to be pulled back into the system again # dont count emails sent by the system get those if dataent.flags.in_test: print('WARN: Cannot pull email. Sender sames as recipient inbox') raise SentEmailInInbox if email.message_id: names = dataent.db.sql("""select distinct name from tabCommunication where message_id='{message_id}' order by creation desc limit 1""".format( message_id=email.message_id ), as_dict=True) if names: name = names[0].get("name") # email is already available update communication uid instead dataent.db.set_value("Communication", name, "uid", uid, update_modified=False) return if email.content_type == 'text/html': email.content = clean_email_html(email.content) communication = dataent.get_doc({ "doctype": "Communication", "subject": email.subject, "content": email.content, 'text_content': email.text_content, "sent_or_received": "Received", "sender_full_name": email.from_real_name, "sender": email.from_email, "recipients": email.mail.get("To"), "cc": email.mail.get("CC"), "email_account": self.name, "communication_medium": "Email", "uid": int(uid or -1), "message_id": email.message_id, "communication_date": email.date, "has_attachment": 1 if email.attachments else 0, "seen": seen or 0 }) self.set_thread(communication, email) if communication.seen: # get email account user and set communication as seen users = dataent.get_all("User Email", filters={ "email_account": self.name }, fields=["parent"]) users = list(set([ user.get("parent") for user in users ])) communication._seen = json.dumps(users) communication.flags.in_receive = True communication.insert(ignore_permissions = 1) # save attachments communication._attachments = email.save_attachments_in_doc(communication) # replace inline images dirty = False for file in communication._attachments: if file.name in email.cid_map and email.cid_map[file.name]: dirty = True email.content = email.content.replace("cid:{0}".format(email.cid_map[file.name]), file.file_url) if dirty: # not sure if using save() will trigger anything communication.db_set("content", sanitize_html(email.content)) # notify all participants of this thread if self.enable_auto_reply and getattr(communication, "is_first", False): self.send_auto_reply(communication, email) return communication