[FIX] website, base: escaping and unescaping html

When saving a template in version 8.0, html would be saved as it should be displayed once on the site. In particular, if some text should be escaped once send to the browser, it will be saved as such. But when rendering, a text node content is unescaped two times: * for translation which seems wrong since we already use .text of a node which already escaped it, doing it one more time is bad, * when rendering the template, since the html template is stored in xml, This commit remove superfluous unescaping for translation, and add an escaping when saving the changed template content. closes #7967 opw-646889
2015-08-10 09:20:45 +02:00 · 2015-08-10 09:20:45 +02:00 · cdb9000449
parent 8827789ff2
commit cdb9000449
3 changed files with 20 additions and 1 deletions
--- a/addons/website/models/ir_ui_view.py
+++ b/addons/website/models/ir_ui_view.py
@ -7,6 +7,7 @@ from openerp import SUPERUSER_ID, api
 from openerp.addons.website.models import website
 from openerp.http import request
 from openerp.osv import osv, fields
+from openerp.tools import html_escape

 class view(osv.osv):
    _inherit = "ir.ui.view"
@ -119,6 +120,14 @@ class view(osv.osv):
            # ensure there's only one match
            [root] = arch.xpath(section_xpath)

+        # html text need to be escaped for xml storage
+        def escape_node(node):
+            node.text = node.text and html_escape(node.text)
+            node.tail = node.tail and html_escape(node.tail)
+        escape_node(replacement)
+        for descendant in replacement.iterdescendants():
+            escape_node(descendant)
+
        root.text = replacement.text
        root.tail = replacement.tail
        # replace all children
--- a/addons/website/tests/test_views.py
+++ b/addons/website/tests/test_views.py
@ -174,6 +174,16 @@ class TestViewSaving(common.TransactionCase):
            )
        )

+    def test_save_escaped_text(self):
+        view_id = self.registry('ir.ui.view').create(self.cr, self.uid, {
+            'arch':'<t>hello world</t>',
+            'type':'qweb'
+        })
+        view = self.registry('ir.ui.view').browse(self.cr, self.uid, view_id)
+        replacement = 'hello world &amp; &lt;angle brackets&gt;!'
+        view.save(replacement, xpath='/t')
+        self.assertEqual(view.render(), replacement, 'html special characters wrongly escaped')
+
    def test_save_only_embedded(self):
        Company = self.registry('res.company')
        company_id = 1
--- a/openerp/addons/base/ir/ir_ui_view.py
+++ b/openerp/addons/base/ir/ir_ui_view.py
@ -945,7 +945,7 @@ class view(osv.osv):
        def get_trans(text):
            if not text or not text.strip():
                return None
-            text = h.unescape(text.strip())
+            text = text.strip()
            if len(text) < 2 or (text.startswith('<!') and text.endswith('>')):
                return None
            return translate_func(text)