[IMP] fields: html: now supports a sanitize argument, telling
whether the content of the html field should be sanitized before storage. This parameter is true by default. Example of use: html of email template is considered as html content, but contains mako strings that makes this content not valid html. Sanitizing the body content can cause issues to the template; therefore storing it as html but not sanitized allows to keep its content safe. Added a test case to ensure this behavior. bzr revid: tde@openerp.com-20140227120254-6m8gvkt4hf28nl0e
This commit is contained in:
parent
6a777b9e62
commit
42e2676f4b
|
@ -236,15 +236,24 @@ class char(_column):
|
||||||
class text(_column):
|
class text(_column):
|
||||||
_type = 'text'
|
_type = 'text'
|
||||||
|
|
||||||
|
|
||||||
class html(text):
|
class html(text):
|
||||||
_type = 'html'
|
_type = 'html'
|
||||||
_symbol_c = '%s'
|
_symbol_c = '%s'
|
||||||
def _symbol_f(x):
|
|
||||||
if x is None or x == False:
|
def _symbol_set_html(self, value):
|
||||||
|
if value is None or value is False:
|
||||||
return None
|
return None
|
||||||
return html_sanitize(x)
|
if not self._sanitize:
|
||||||
|
return value
|
||||||
_symbol_set = (_symbol_c, _symbol_f)
|
return html_sanitize(value)
|
||||||
|
|
||||||
|
def __init__(self, string='unknown', sanitize=True, **args):
|
||||||
|
super(html, self).__init__(string=string, **args)
|
||||||
|
self._sanitize = sanitize
|
||||||
|
# symbol_set redefinition because of sanitize specific behavior
|
||||||
|
self._symbol_f = self._symbol_set_html
|
||||||
|
self._symbol_set = (self._symbol_c, self._symbol_f)
|
||||||
|
|
||||||
import __builtin__
|
import __builtin__
|
||||||
|
|
||||||
|
|
|
@ -180,3 +180,51 @@ class TestPropertyField(common.TransactionCase):
|
||||||
self.partner.write(cr, alice, [partner_id], {'property_country': country_be})
|
self.partner.write(cr, alice, [partner_id], {'property_country': country_be})
|
||||||
self.assertEqual(self.partner.browse(cr, alice, partner_id).property_country.id, country_be, "Alice does not see the value he has set on the property field")
|
self.assertEqual(self.partner.browse(cr, alice, partner_id).property_country.id, country_be, "Alice does not see the value he has set on the property field")
|
||||||
self.assertEqual(self.partner.browse(cr, bob, partner_id).property_country.id, country_fr, "Changes made by Alice have overwritten Bob's value")
|
self.assertEqual(self.partner.browse(cr, bob, partner_id).property_country.id, country_fr, "Changes made by Alice have overwritten Bob's value")
|
||||||
|
|
||||||
|
|
||||||
|
class TestHtmlField(common.TransactionCase):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(TestHtmlField, self).setUp()
|
||||||
|
self.partner = self.registry('res.partner')
|
||||||
|
|
||||||
|
def test_00_sanitize(self):
|
||||||
|
cr, uid, context = self.cr, self.uid, {}
|
||||||
|
old_columns = self.partner._columns
|
||||||
|
self.partner._columns = dict(old_columns)
|
||||||
|
self.partner._columns.update({
|
||||||
|
'comment': fields.html('Secure Html', sanitize=False),
|
||||||
|
})
|
||||||
|
some_ugly_html = """<p>Oops this should maybe be sanitized
|
||||||
|
% if object.some_field and not object.oriented:
|
||||||
|
<table>
|
||||||
|
% if object.other_field:
|
||||||
|
<tr>
|
||||||
|
${object.mako_thing}
|
||||||
|
<td>
|
||||||
|
</tr>
|
||||||
|
% endif
|
||||||
|
<tr>
|
||||||
|
%if object.dummy_field:
|
||||||
|
<p>Youpie</p>
|
||||||
|
%endif"""
|
||||||
|
|
||||||
|
pid = self.partner.create(cr, uid, {
|
||||||
|
'name': 'Raoul Poilvache',
|
||||||
|
'comment': some_ugly_html,
|
||||||
|
}, context=context)
|
||||||
|
partner = self.partner.browse(cr, uid, pid, context=context)
|
||||||
|
self.assertEqual(partner.comment, some_ugly_html, 'Error in HTML field: content was sanitized but field has sanitize=False')
|
||||||
|
|
||||||
|
self.partner._columns.update({
|
||||||
|
'comment': fields.html('Unsecure Html', sanitize=True),
|
||||||
|
})
|
||||||
|
self.partner.write(cr, uid, [pid], {
|
||||||
|
'comment': some_ugly_html,
|
||||||
|
}, context=context)
|
||||||
|
partner = self.partner.browse(cr, uid, pid, context=context)
|
||||||
|
# sanitize should have closed tags left open in the original html
|
||||||
|
self.assertIn('</table>', partner.comment, 'Error in HTML field: content does not seem to have been sanitized despise sanitize=True')
|
||||||
|
self.assertIn('</td>', partner.comment, 'Error in HTML field: content does not seem to have been sanitized despise sanitize=True')
|
||||||
|
|
||||||
|
self.partner._columns = old_columns
|
||||||
|
|
Loading…
Reference in New Issue