def _get_desc(self): for module in self: path = modules.get_module_resource( module.name, 'static/description/index.html') if path: with tools.file_open(path, 'rb') as desc_file: doc = desc_file.read() html = lxml.html.document_fromstring(doc) for element, attribute, link, pos in html.iterlinks(): if element.get('src') and not '//' in element.get( 'src') and not 'static/' in element.get('src'): element.set( 'src', "/%s/static/description/%s" % (module.name, element.get('src'))) module.description_html = tools.html_sanitize( lxml.html.tostring(html)) else: overrides = { 'embed_stylesheet': False, 'doctitle_xform': False, 'output_encoding': 'unicode', 'xml_declaration': False, 'file_insertion_enabled': False, } output = publish_string(source=module.description or '', settings_overrides=overrides, writer=MyWriter()) module.description_html = tools.html_sanitize(output)
def test_style_parsing(self): test_data = [ ( '<span style="position: fixed; top: 0px; left: 50px; width: 40%; height: 50%; background-color: red;">Coin coin </span>', ['background-color: red', 'Coin coin'], ['position', 'top', 'left'] ), ( """<div style='before: "Email Address; coincoin cheval: lapin"; font-size: 30px; max-width: 100%; after: "Not sure this; means: anything ?#ùµ" ; some-property: 2px; top: 3'>youplaboum</div>""", ['font-size: 30px', 'youplaboum'], ['some-property', 'top', 'cheval'] ), ( '<span style="width">Coincoin</span>', [], ['width'] ) ] for test, in_lst, out_lst in test_data: new_html = html_sanitize(test, sanitize_attributes=False, sanitize_style=True, strip_style=False, strip_classes=False) for text in in_lst: self.assertIn(text, new_html) for text in out_lst: self.assertNotIn(text, new_html) # style should not be sanitized if removed new_html = html_sanitize(test_data[0][0], sanitize_attributes=False, strip_style=True, strip_classes=False) self.assertEqual(new_html, u'<span>Coin coin </span>')
def test_quote_text(self): html = html_sanitize(test_mail_examples.TEXT_1) for ext in test_mail_examples.TEXT_1_IN: self.assertIn(ext, html) for ext in test_mail_examples.TEXT_1_OUT: self.assertIn(u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(ext), html) html = html_sanitize(test_mail_examples.TEXT_2) for ext in test_mail_examples.TEXT_2_IN: self.assertIn(ext, html) for ext in test_mail_examples.TEXT_2_OUT: self.assertIn(u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(ext), html)
def test_misc(self): # False / void should not crash html = html_sanitize('') self.assertEqual(html, '') html = html_sanitize(False) self.assertEqual(html, False) # Message with xml and doctype tags don't crash html = html_sanitize(u'<?xml version="1.0" encoding="iso-8859-1"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\n "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\n<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">\n <head>\n <title>404 - Not Found</title>\n </head>\n <body>\n <h1>404 - Not Found</h1>\n </body>\n</html>\n') self.assertNotIn('encoding', html) self.assertNotIn('<title>404 - Not Found</title>', html) self.assertIn('<h1>404 - Not Found</h1>', html)
def test_quote_hotmail_html(self): html = html_sanitize(test_mail_examples.QUOTE_HOTMAIL_HTML) for ext in test_mail_examples.QUOTE_HOTMAIL_HTML_IN: self.assertIn(ext, html) for ext in test_mail_examples.QUOTE_HOTMAIL_HTML_OUT: self.assertIn(ext, html) html = html_sanitize(test_mail_examples.HOTMAIL_1) for ext in test_mail_examples.HOTMAIL_1_IN: self.assertIn(ext, html) for ext in test_mail_examples.HOTMAIL_1_OUT: self.assertIn(ext, html)
def convert_answer_to_comment(self): """ Tools to convert an answer (forum.post) to a comment (mail.message). The original post is unlinked and a new comment is posted on the question using the post create_uid as the comment's author. """ self.ensure_one() if not self.parent_id: return self.env['mail.message'] # karma-based action check: use the post field that computed own/all value if not self.can_comment_convert: raise KarmaError('Not enough karma to convert an answer to a comment') # post the message question = self.parent_id values = { 'author_id': self.sudo().create_uid.partner_id.id, # use sudo here because of access to res.users model 'body': tools.html_sanitize(self.content, sanitize_attributes=True, strip_style=True, strip_classes=True), 'message_type': 'comment', 'subtype': 'mail.mt_comment', 'date': self.create_date, } new_message = question.with_context(mail_create_nosubscribe=True).message_post(**values) # unlink the original answer, using SUPERUSER_ID to avoid karma issues self.sudo().unlink() return new_message
def test_quote_basic_text(self): test_data = [ ( """This is Sparta!\n--\nAdministrator\n+9988776655""", ['This is Sparta!'], ['\n--\nAdministrator\n+9988776655'] ), ( """<p>This is Sparta!\n--\nAdministrator</p>""", [], ['\n--\nAdministrator'] ), ( """<p>This is Sparta!<br/>--<br>Administrator</p>""", ['This is Sparta!'], [] ), ( """This is Sparta!\n>Ah bon ?\nCertes\n> Chouette !\nClair""", ['This is Sparta!', 'Certes', 'Clair'], ['\n>Ah bon ?', '\n> Chouette !'] ) ] for test, in_lst, out_lst in test_data: new_html = html_sanitize(test) for text in in_lst: self.assertIn(text, new_html) for text in out_lst: self.assertIn(u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(text), new_html)
def test_quote_blockquote(self): html = html_sanitize(test_mail_examples.QUOTE_BLOCKQUOTE) for ext in test_mail_examples.QUOTE_BLOCKQUOTE_IN: self.assertIn(ext, html) for ext in test_mail_examples.QUOTE_BLOCKQUOTE_OUT: self.assertIn( u'<span data-o-mail-quote="1">%s' % misc.html_escape(ext), html)
def test_cid_with_at(self): img_tag = '<img src="@">' sanitized = html_sanitize(img_tag, sanitize_tags=False, strip_classes=True) self.assertEqual( img_tag, sanitized, "img with can have cid containing @ and shouldn't be escaped")
def test_quote_thunderbird(self): html = html_sanitize(test_mail_examples.QUOTE_THUNDERBIRD_1) for ext in test_mail_examples.QUOTE_THUNDERBIRD_1_IN: self.assertIn(ext, html) for ext in test_mail_examples.QUOTE_THUNDERBIRD_1_OUT: self.assertIn( u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(ext), html)
def test_edi_source(self): html = html_sanitize(test_mail_examples.EDI_LIKE_HTML_SOURCE) self.assertIn( 'font-family: \'Lucida Grande\', Ubuntu, Arial, Verdana, sans-serif;', html, 'html_sanitize removed valid styling') self.assertIn( 'src="https://www.paypal.com/en_US/i/btn/btn_paynowCC_LG.gif"', html, 'html_sanitize removed valid img') self.assertNotIn('</body></html>', html, 'html_sanitize did not remove extra closing tags')
def test_sanitize_escape_emails(self): emails = [ "Charles <*****@*****.**>", "Dupuis <'tr/-: ${dupuis#$'@truc.baz.fr>", "Technical <service/[email protected]>", "Div nico <*****@*****.**>" ] for email in emails: self.assertIn(misc.html_escape(email), html_sanitize(email), 'html_sanitize stripped emails of original html')
def test_sanitize_unescape_emails(self): not_emails = [ '<blockquote cite="mid:CAEJSRZvWvud8c6Qp=wfNG6O1+wK3i_jb33qVrF7XyrgPNjnyUA@mail.gmail.com" type="cite">cat</blockquote>', '<img alt="@github-login" class="avatar" src="/web/image/pi" height="36" width="36">'] for email in not_emails: sanitized = html_sanitize(email) left_part = email.split('>')[0] # take only left part, as the sanitizer could add data information on node self.assertNotIn(misc.html_escape(email), sanitized, 'html_sanitize stripped emails of original html') self.assertIn(left_part, sanitized)
def test_evil_malicious_code(self): # taken from https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Tests cases = [ ("<IMG SRC=javascript:alert('XSS')>"), # no quotes and semicolons ("<IMG SRC=javascript:alert('XSS')>"), # UTF-8 Unicode encoding ("<IMG SRC=javascript:alert('XSS')>"), # hex encoding ("<IMG SRC=\"jav
ascript:alert('XSS');\">"), # embedded carriage return ("<IMG SRC=\"jav
ascript:alert('XSS');\">"), # embedded newline ("<IMG SRC=\"jav ascript:alert('XSS');\">"), # embedded tab ("<IMG SRC=\"jav	ascript:alert('XSS');\">"), # embedded encoded tab ("<IMG SRC=\"  javascript:alert('XSS');\">"), # spaces and meta-characters ("<IMG SRC=\"javascript:alert('XSS')\""), # half-open html ("<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">"), # malformed tag ("<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>"), # non-alpha-non-digits ("<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>"), # non-alpha-non-digits ("<<SCRIPT>alert(\"XSS\");//<</SCRIPT>"), # extraneous open brackets ("<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >"), # non-closing script tags ("<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">"), # input image ("<BODY BACKGROUND=\"javascript:alert('XSS')\">"), # body image ("<IMG DYNSRC=\"javascript:alert('XSS')\">"), # img dynsrc ("<IMG LOWSRC=\"javascript:alert('XSS')\">"), # img lowsrc ("<TABLE BACKGROUND=\"javascript:alert('XSS')\">"), # table ("<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">"), # td ("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"), # div background ("<DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\">"), # div background with unicoded exploit ("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"), # div background + extra characters ("<IMG SRC='vbscript:msgbox(\"XSS\")'>"), # VBscrip in an image ("<BODY ONLOAD=alert('XSS')>"), # event handler ("<BR SIZE=\"&{alert('XSS')}\>"), # & javascript includes ("<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">"), # style sheet ("<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">"), # remote style sheet ("<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>"), # remote style sheet 2 ("<META HTTP-EQUIV=\"Link\" Content=\"<http://ha.ckers.org/xss.css>; REL=stylesheet\">"), # remote style sheet 3 ("<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>"), # remote style sheet 4 ("<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">"), # style attribute using a comment to break up expression ] for content in cases: html = html_sanitize(content) self.assertNotIn('javascript', html, 'html_sanitize did not remove a malicious javascript') self.assertTrue('ha.ckers.org' not in html or 'http://ha.ckers.org/xss.css' in html, 'html_sanitize did not remove a malicious code in %s (%s)' % (content, html)) content = "<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->" # down-level hidden block self.assertEquals(html_sanitize(content, silent=False), '')
def test_basic_sanitizer(self): cases = [ ("yop", "<p>yop</p>"), # simple ("lala<p>yop</p>xxx", "<p>lala</p><p>yop</p>xxx"), # trailing text ("Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci", u"<p>Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci</p>"), # unicode ] for content, expected in cases: html = html_sanitize(content) self.assertEqual(html, expected, 'html_sanitize is broken')
def test_quote_signature(self): test_data = [ ( """<div>Hello<pre>--<br />Administrator</pre></div>""", ["<pre data-o-mail-quote=\"1\">--", "<br data-o-mail-quote=\"1\">"], ) ] for test, in_lst in test_data: new_html = html_sanitize(test) for text in in_lst: self.assertIn(text, new_html)
def test_html(self): sanitized_html = html_sanitize(test_mail_examples.MISC_HTML_SOURCE) for tag in [ '<div', '<b', '<i', '<u', '<strike', '<li', '<blockquote', '<a href' ]: self.assertIn(tag, sanitized_html, 'html_sanitize stripped too much of original html') for attr in ['javascript']: self.assertNotIn( attr, sanitized_html, 'html_sanitize did not remove enough unwanted attributes')
def test_style_class_only(self): html = html_sanitize(test_mail_examples.REMOVE_CLASS, sanitize_attributes=False, sanitize_style=True, strip_classes=True) for ext in test_mail_examples.REMOVE_CLASS_IN: self.assertIn(ext, html) for ext in test_mail_examples.REMOVE_CLASS_OUT: self.assertNotIn( ext, html, )
def compute_tips(self, company, user): tip = self.env['digest.tip'].search( [('user_ids', '!=', user.id), '|', ('group_id', 'in', user.groups_id.ids), ('group_id', '=', False)], limit=1) if not tip: return False tip.user_ids = [4, user.id] body = tools.html_sanitize(tip.tip_description) tip_description = self.env['mail.template'].render_template( body, 'digest.tip', self.id) return tip_description
def compute_tips(self, company, user, tips_count=1, consumed=True): tips = self.env['digest.tip'].search( [('user_ids', '!=', user.id), '|', ('group_id', 'in', user.groups_id.ids), ('group_id', '=', False)], limit=tips_count) tip_descriptions = [ self.env['mail.render.mixin']._render_template( tools.html_sanitize(tip.tip_description), 'digest.tip', tip.ids, post_process=True)[tip.id] for tip in tips ] if consumed: tips.user_ids += user return tip_descriptions
def test_mako(self): cases = [('''<p>Some text</p> <% set signup_url = object.get_signup_url() %> % if signup_url: <p> You can access this document and pay online via our Customer Portal: </p>''', '''<p>Some text</p> <% set signup_url = object.get_signup_url() %> % if signup_url: <p> You can access this document and pay online via our Customer Portal: </p>''')] for content, expected in cases: html = html_sanitize(content, silent=False) self.assertEqual(html, expected, 'html_sanitize: broken mako management')
def _action_send_statistics(self): """Send an email to the responsible of each finished mailing with the statistics.""" self.kpi_mail_required = False for mailing in self: user = mailing.user_id mailing = mailing.with_context( lang=user.lang or self._context.get('lang')) link_trackers = self.env['link.tracker'].search([ ('mass_mailing_id', '=', mailing.id) ]).sorted('count', reverse=True) link_trackers_body = self.env['ir.qweb']._render( 'mass_mailing.mass_mailing_kpi_link_trackers', { 'object': mailing, 'link_trackers': link_trackers }, ) rendered_body = self.env['ir.qweb']._render( 'digest.digest_mail_main', { 'body': tools.html_sanitize(link_trackers_body), 'company': user.company_id, 'user': user, 'display_mobile_banner': True, **mailing._prepare_statistics_email_values() }, ) full_mail = self.env['mail.render.mixin']._render_encapsulate( 'digest.digest_mail_layout', rendered_body, ) mail_values = { 'subject': _('24H Stats of mailing "%s"') % mailing.subject, 'email_from': user.email_formatted, 'email_to': user.email_formatted, 'body_html': full_mail, 'auto_delete': True, } mail = self.env['mail.mail'].sudo().create(mail_values) mail.send(raise_exception=False)
def send_mail_test(self): self.ensure_one() mails = self.env['mail.mail'] mailing = self.mass_mailing_id test_emails = tools.email_split(self.email_to) for test_mail in test_emails: # Convert links in absolute URLs before the application of the shortener mailing.write({ 'body_html': self.env['mail.template']._replace_local_links( mailing.body_html) }) mail_values = { 'email_from': mailing.email_from, 'reply_to': mailing.reply_to, 'email_to': test_mail, 'subject': mailing.name, 'body_html': tools.html_sanitize(mailing.body_html, sanitize_attributes=True, sanitize_style=True, strip_classes=True), 'notification': True, 'mailing_id': mailing.id, 'attachment_ids': [(4, attachment.id) for attachment in mailing.attachment_ids], 'auto_delete': True, } mail = self.env['mail.mail'].create(mail_values) mails |= mail mails.send() return True
def test_quote_thunderbird_html(self): html = html_sanitize(test_mail_examples.QUOTE_THUNDERBIRD_HTML) for ext in test_mail_examples.QUOTE_THUNDERBIRD_HTML_IN: self.assertIn(ext, html) for ext in test_mail_examples.QUOTE_THUNDERBIRD_HTML_OUT: self.assertIn(ext, html)
def generate_email(self, res_ids, fields=None): """Generates an email from the template for given the given model based on records given by res_ids. :param template_id: id of the template to render. :param res_id: id of the record to use for rendering the template (model is taken from template definition) :returns: a dict containing all relevant fields for creating a new mail.mail entry, with one extra key ``attachments``, in the format [(report_name, data)] where data is base64 encoded. """ self.ensure_one() multi_mode = True if isinstance(res_ids, pycompat.integer_types): res_ids = [res_ids] multi_mode = False if fields is None: fields = [ 'subject', 'body_html', 'email_from', 'email_to', 'partner_to', 'email_cc', 'reply_to', 'scheduled_date' ] res_ids_to_templates = self.get_email_template(res_ids) # templates: res_id -> template; template -> res_ids templates_to_res_ids = {} for res_id, template in res_ids_to_templates.items(): templates_to_res_ids.setdefault(template, []).append(res_id) results = dict() for template, template_res_ids in templates_to_res_ids.items(): Template = self.env['mail.template'] # generate fields value for all res_ids linked to the current template if template.lang: Template = Template.with_context( lang=template._context.get('lang')) for field in fields: Template = Template.with_context(safe=field in {'subject'}) generated_field_values = Template.render_template( getattr(template, field), template.model, template_res_ids, post_process=(field == 'body_html')) for res_id, field_value in generated_field_values.items(): results.setdefault(res_id, dict())[field] = field_value # compute recipients if any(field in fields for field in ['email_to', 'partner_to', 'email_cc']): results = template.generate_recipients(results, template_res_ids) # update values for all res_ids for res_id in template_res_ids: values = results[res_id] # body: add user signature, sanitize if 'body_html' in fields and template.user_signature: signature = self.env.user.signature if signature: values['body_html'] = tools.append_content_to_html( values['body_html'], signature, plaintext=False) if values.get('body_html'): values['body'] = tools.html_sanitize(values['body_html']) # technical settings values.update( mail_server_id=template.mail_server_id.id or False, auto_delete=template.auto_delete, keep_days=template.keep_days, model=template.model, res_id=res_id or False, attachment_ids=[ attach.id for attach in template.attachment_ids ], ) # Add report in attachments: generate once for all template_res_ids if template.report_template: for res_id in template_res_ids: attachments = [] report_name = self.render_template(template.report_name, template.model, res_id) report = template.report_template report_service = report.report_name if report.report_type not in ['qweb-html', 'qweb-pdf']: raise UserError( _('Unsupported report type %s found.') % report.report_type) result, format = report.render_qweb_pdf([res_id]) # TODO in trunk, change return format to binary to match message_post expected format result = base64.b64encode(result) if not report_name: report_name = 'report.' + report_service ext = "." + format if not report_name.endswith(ext): report_name += ext attachments.append((report_name, result)) results[res_id]['attachments'] = attachments return multi_mode and results or results[res_ids[0]]
def send_mail_test(self): self.ensure_one() ctx = dict(self.env.context) ctx.pop('default_state', None) self = self.with_context(ctx) mails_sudo = self.env['mail.mail'].sudo() mailing = self.mass_mailing_id test_emails = tools.email_split(self.email_to) mass_mail_layout = self.env.ref( 'mass_mailing.mass_mailing_mail_layout') record = self.env[mailing.mailing_model_real].search([], limit=1) body = mailing._prepend_preview(mailing.body_html, mailing.preview) subject = mailing.subject # If there is atleast 1 record for the model used in this mailing, then we use this one to render the template # Downside: Jinja syntax is only tested when there is atleast one record of the mailing's model if record: # Returns a proper error if there is a syntax error with jinja body = self.env['mail.render.mixin']._render_template( body, mailing.mailing_model_real, record.ids, post_process=True)[record.id] subject = self.env['mail.render.mixin']._render_template( subject, mailing.mailing_model_real, record.ids)[record.id] # Convert links in absolute URLs before the application of the shortener body = self.env['mail.render.mixin']._replace_local_links(body) body = tools.html_sanitize(body, sanitize_attributes=True, sanitize_style=True) for test_mail in test_emails: mail_values = { 'email_from': mailing.email_from, 'reply_to': mailing.reply_to, 'email_to': test_mail, 'subject': subject, 'body_html': mass_mail_layout._render({'body': body}, engine='ir.qweb', minimal_qcontext=True), 'notification': True, 'mailing_id': mailing.id, 'attachment_ids': [(4, attachment.id) for attachment in mailing.attachment_ids], 'auto_delete': True, 'mail_server_id': mailing.mail_server_id.id, } mail = self.env['mail.mail'].sudo().create(mail_values) mails_sudo |= mail mails_sudo.send() return True
def generate_email(self, res_ids, fields): """Generates an email from the template for given the given model based on records given by res_ids. :param res_id: id of the record to use for rendering the template (model is taken from template definition) :returns: a dict containing all relevant fields for creating a new mail.mail entry, with one extra key ``attachments``, in the format [(report_name, data)] where data is base64 encoded. """ self.ensure_one() multi_mode = True if isinstance(res_ids, int): res_ids = [res_ids] multi_mode = False results = dict() for lang, ( template, template_res_ids) in self._classify_per_lang(res_ids).items(): for field in fields: template = template.with_context(safe=(field == 'subject')) generated_field_values = template._render_field( field, template_res_ids, post_process=(field == 'body_html')) for res_id, field_value in generated_field_values.items(): results.setdefault(res_id, dict())[field] = field_value # compute recipients if any(field in fields for field in ['email_to', 'partner_to', 'email_cc']): results = template.generate_recipients(results, template_res_ids) # update values for all res_ids for res_id in template_res_ids: values = results[res_id] if values.get('body_html'): values['body'] = tools.html_sanitize(values['body_html']) # technical settings values.update( mail_server_id=template.mail_server_id.id or False, auto_delete=template.auto_delete, model=template.model, res_id=res_id or False, attachment_ids=[ attach.id for attach in template.attachment_ids ], ) # Add report in attachments: generate once for all template_res_ids if template.report_template: for res_id in template_res_ids: attachments = [] report_name = template._render_field( 'report_name', [res_id])[res_id] report = template.report_template report_service = report.report_name if report.report_type in ['qweb-html', 'qweb-pdf']: result, format = report._render_qweb_pdf([res_id]) else: res = report._render([res_id]) if not res: raise UserError( _('Unsupported report type %s found.', report.report_type)) result, format = res # TODO in trunk, change return format to binary to match message_post expected format result = base64.b64encode(result) if not report_name: report_name = 'report.' + report_service ext = "." + format if not report_name.endswith(ext): report_name += ext attachments.append((report_name, result)) results[res_id]['attachments'] = attachments return multi_mode and results or results[res_ids[0]]