# -*- coding: utf-8 -*-
# Part of Odoo. See LICENSE file for full copyright and licensing details.
from markupsafe import Markup
import re
from odoo.addons.base.models.ir_mail_server import extract_rfc2822_addresses
from odoo.addons.base.models.ir_qweb_fields import nl2br_enclose
from odoo.tests import tagged
from odoo.tests.common import BaseCase
from odoo.tools import (
is_html_empty, html_to_inner_content, html_sanitize, append_content_to_html, plaintext2html,
email_domain_normalize, email_normalize, email_re,
email_split, email_split_and_format, email_split_tuples,
single_email_re,
misc, formataddr,
prepend_html_content,
)
from . import test_mail_examples
@tagged('mail_sanitize')
class TestSanitizer(BaseCase):
""" Test the html sanitizer that filters html to remove unwanted attributes """
def test_abrupt_close(self):
payload = """ -->"""
html_result = html_sanitize(payload)
self.assertNotIn('alert(1)', html_result)
payload = """ -->"""
html_result = html_sanitize(payload)
self.assertNotIn('alert(1)', html_result)
def test_abrut_malformed(self):
payload = """"""
html_result = html_sanitize(payload)
self.assertNotIn('alert(1)', html_result)
payload = """"""
html_result = html_sanitize(payload)
self.assertNotIn('alert(1)', html_result)
def test_basic_sanitizer(self):
cases = [
("yop", "yop
"), # simple
("lalayop
xxx", "lala
yop
xxx"), # trailing text
("Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci",
u"Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci
"), # unicode
]
for content, expected in cases:
html = html_sanitize(content)
self.assertEqual(html, expected, 'html_sanitize is broken')
def test_comment_malformed(self):
html = ''' 
--> comment --> out of context balise --!>'''
html_result = html_sanitize(html)
self.assertNotIn('alert(1)', html_result)
def test_comment_multiline(self):
payload = """
-->
"""
html_result = html_sanitize(payload)
self.assertNotIn('alert(1)', html_result)
def test_evil_malicious_code(self):
# taken from https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Tests
cases = [
(")
"), # no quotes and semicolons
(""), # UTF-8 Unicode encoding
(""), # hex encoding
("![](\"jav
ascript:alert('XSS');\")
"), # embedded carriage return
("![](\"jav
ascript:alert('XSS');\")
"), # embedded newline
("![](\"jav)
"), # embedded tab
("![](\"jav ascript:alert('XSS');\")
"), # embedded encoded tab
("![](\")
"), # spaces and meta-characters
("![](\"javascript:alert('XSS')\""),)
\">"), # malformed tag
(""), # non-alpha-non-digits
(""), # non-alpha-non-digits
("<"), # extraneous open brackets
("