[FIX] tools: mail: when cleaning, unescape mako specific symbols.

Indeed those are escaped when contained inside an href or mailto element of a tag, leading to mako not rendering the element. bzr revid: tde@openerp.com-20140123125137-4u4i88f1ajybg5f2
2014-01-23 13:51:37 +01:00 · 2014-01-23 13:51:37 +01:00 · 5f1ec49ecd
parent 5528b9b2d8
commit 5f1ec49ecd
1 changed files with 3 additions and 0 deletions
--- a/openerp/tools/mail.py
+++ b/openerp/tools/mail.py
@ -29,6 +29,7 @@ import re
 import socket
 import threading
 import time
+import xml
 from email.utils import getaddresses

 import openerp
@ -95,6 +96,8 @@ def html_sanitize(src, silent=True, strict=False):
        # some corner cases make the parser crash (such as <SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> in test_mail)
        cleaner = clean.Cleaner(**kwargs)
        cleaned = cleaner.clean_html(src)
+        # MAKO compatibility: $, { and } inside quotes are escaped, preventing correct mako execution
+        cleaned = xml.sax.saxutils.unescape(cleaned, {'%24': '$', '%7B': '{', '%7D': '}', '%20': ' '})
    except etree.ParserError, e:
        if 'empty' in str(e):
            return ""