[DOC] Added some comments. Updated failure message. Added a logging message when not capable of parsing.

bzr revid: tde@openerp.com-20121226164354-tjquf1zdyr90tl5e
2012-12-26 17:43:54 +01:00 · 2012-12-26 17:43:54 +01:00 · be5118c704
parent d7185be38c
commit be5118c704
2 changed files with 4 additions and 3 deletions
--- a/openerp/tests/test_mail.py
+++ b/openerp/tests/test_mail.py
@ -179,6 +179,7 @@ class TestSanitizer(unittest2.TestCase):
            self.assertEqual(html, expected, 'html_sanitize is broken')

    def test_evil_malicious_code(self):
+        # taken from https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Tests
        cases = [
            ("<IMG SRC=javascript:alert('XSS')>"),  # no quotes and semicolons
            ("<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>"),  # UTF-8 Unicode encoding
--- a/openerp/tools/mail.py
+++ b/openerp/tools/mail.py
@ -40,7 +40,6 @@ _logger = logging.getLogger(__name__)
 # HTML Sanitizer
 #----------------------------------------------------------

-# FIXME: shouldn't this be a whitelist rather than a blacklist?!
 tags_to_kill = ["script", "head", "meta", "title", "link", "style", "frame", "iframe", "base", "object", "embed"]
 tags_to_remove = ['html', 'body', 'font']

@ -50,12 +49,13 @@ def html_sanitize(src):
        return src
    src = ustr(src, errors='replace')

-    # some cases make the parser crash (such as SCRIPT/XSS in test_mail)
+    # some corner cases make the parser crash (such as <SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> in test_mail)
    try:
        cleaner = clean.Cleaner(page_structure=True, style=False, safe_attrs_only=False, forms=False, kill_tags=tags_to_kill, remove_tags=tags_to_remove)
        cleaned = cleaner.clean_html(src)
    except:
-        cleaned = 'Impossible to parse'
+        _logger.debug('Failed to parse %s' % (src))
+        cleaned = '<p>Impossible to parse</p>'
    return cleaned