[IMP] fields: html: now supports a sanitize argument, telling
whether the content of the html field should be sanitized before storage. This parameter is true by default. Example of use: html of email template is considered as html content, but contains mako strings that makes this content not valid html. Sanitizing the body content can cause issues to the template; therefore storing it as html but not sanitized allows to keep its content safe. Added a test case to ensure this behavior. bzr revid: tde@openerp.com-20140227120254-6m8gvkt4hf28nl0e
This commit is contained in:
parent
6a777b9e62
commit
42e2676f4b
|
@ -236,15 +236,24 @@ class char(_column):
|
|||
class text(_column):
|
||||
_type = 'text'
|
||||
|
||||
|
||||
class html(text):
|
||||
_type = 'html'
|
||||
_symbol_c = '%s'
|
||||
def _symbol_f(x):
|
||||
if x is None or x == False:
|
||||
return None
|
||||
return html_sanitize(x)
|
||||
|
||||
_symbol_set = (_symbol_c, _symbol_f)
|
||||
def _symbol_set_html(self, value):
|
||||
if value is None or value is False:
|
||||
return None
|
||||
if not self._sanitize:
|
||||
return value
|
||||
return html_sanitize(value)
|
||||
|
||||
def __init__(self, string='unknown', sanitize=True, **args):
|
||||
super(html, self).__init__(string=string, **args)
|
||||
self._sanitize = sanitize
|
||||
# symbol_set redefinition because of sanitize specific behavior
|
||||
self._symbol_f = self._symbol_set_html
|
||||
self._symbol_set = (self._symbol_c, self._symbol_f)
|
||||
|
||||
import __builtin__
|
||||
|
||||
|
|
|
@ -180,3 +180,51 @@ class TestPropertyField(common.TransactionCase):
|
|||
self.partner.write(cr, alice, [partner_id], {'property_country': country_be})
|
||||
self.assertEqual(self.partner.browse(cr, alice, partner_id).property_country.id, country_be, "Alice does not see the value he has set on the property field")
|
||||
self.assertEqual(self.partner.browse(cr, bob, partner_id).property_country.id, country_fr, "Changes made by Alice have overwritten Bob's value")
|
||||
|
||||
|
||||
class TestHtmlField(common.TransactionCase):
|
||||
|
||||
def setUp(self):
|
||||
super(TestHtmlField, self).setUp()
|
||||
self.partner = self.registry('res.partner')
|
||||
|
||||
def test_00_sanitize(self):
|
||||
cr, uid, context = self.cr, self.uid, {}
|
||||
old_columns = self.partner._columns
|
||||
self.partner._columns = dict(old_columns)
|
||||
self.partner._columns.update({
|
||||
'comment': fields.html('Secure Html', sanitize=False),
|
||||
})
|
||||
some_ugly_html = """<p>Oops this should maybe be sanitized
|
||||
% if object.some_field and not object.oriented:
|
||||
<table>
|
||||
% if object.other_field:
|
||||
<tr>
|
||||
${object.mako_thing}
|
||||
<td>
|
||||
</tr>
|
||||
% endif
|
||||
<tr>
|
||||
%if object.dummy_field:
|
||||
<p>Youpie</p>
|
||||
%endif"""
|
||||
|
||||
pid = self.partner.create(cr, uid, {
|
||||
'name': 'Raoul Poilvache',
|
||||
'comment': some_ugly_html,
|
||||
}, context=context)
|
||||
partner = self.partner.browse(cr, uid, pid, context=context)
|
||||
self.assertEqual(partner.comment, some_ugly_html, 'Error in HTML field: content was sanitized but field has sanitize=False')
|
||||
|
||||
self.partner._columns.update({
|
||||
'comment': fields.html('Unsecure Html', sanitize=True),
|
||||
})
|
||||
self.partner.write(cr, uid, [pid], {
|
||||
'comment': some_ugly_html,
|
||||
}, context=context)
|
||||
partner = self.partner.browse(cr, uid, pid, context=context)
|
||||
# sanitize should have closed tags left open in the original html
|
||||
self.assertIn('</table>', partner.comment, 'Error in HTML field: content does not seem to have been sanitized despise sanitize=True')
|
||||
self.assertIn('</td>', partner.comment, 'Error in HTML field: content does not seem to have been sanitized despise sanitize=True')
|
||||
|
||||
self.partner._columns = old_columns
|
||||
|
|
Loading…
Reference in New Issue