From cdb900044960f03df81cead4921c6e7cc05d8ba3 Mon Sep 17 00:00:00 2001
From: Nicolas Lempereur <nle@odoo.com>
Date: Mon, 10 Aug 2015 09:20:45 +0200
Subject: [PATCH] [FIX] website, base: escaping and unescaping html

When saving a template in version 8.0, html would be saved as it should
be displayed once on the site. In particular, if some text should be
escaped once send to the browser, it will be saved as such.

But when rendering, a text node content is unescaped two times:

* for translation which seems wrong since we already use .text of a node
  which already escaped it, doing it one more time is bad,

* when rendering the template, since the html template is stored in xml,

This commit remove superfluous unescaping for translation, and add an
escaping when saving the changed template content.

closes #7967
opw-646889
---
 addons/website/models/ir_ui_view.py  |  9 +++++++++
 addons/website/tests/test_views.py   | 10 ++++++++++
 openerp/addons/base/ir/ir_ui_view.py |  2 +-
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/addons/website/models/ir_ui_view.py b/addons/website/models/ir_ui_view.py
index 9a3a84a9adb..2895379dcf4 100644
--- a/addons/website/models/ir_ui_view.py
+++ b/addons/website/models/ir_ui_view.py
@@ -7,6 +7,7 @@ from openerp import SUPERUSER_ID, api
 from openerp.addons.website.models import website
 from openerp.http import request
 from openerp.osv import osv, fields
+from openerp.tools import html_escape
 
 class view(osv.osv):
     _inherit = "ir.ui.view"
@@ -119,6 +120,14 @@ class view(osv.osv):
             # ensure there's only one match
             [root] = arch.xpath(section_xpath)
 
+        # html text need to be escaped for xml storage
+        def escape_node(node):
+            node.text = node.text and html_escape(node.text)
+            node.tail = node.tail and html_escape(node.tail)
+        escape_node(replacement)
+        for descendant in replacement.iterdescendants():
+            escape_node(descendant)
+
         root.text = replacement.text
         root.tail = replacement.tail
         # replace all children
diff --git a/addons/website/tests/test_views.py b/addons/website/tests/test_views.py
index 1adb11712ec..c8e7efb9044 100644
--- a/addons/website/tests/test_views.py
+++ b/addons/website/tests/test_views.py
@@ -174,6 +174,16 @@ class TestViewSaving(common.TransactionCase):
             )
         )
 
+    def test_save_escaped_text(self):
+        view_id = self.registry('ir.ui.view').create(self.cr, self.uid, {
+            'arch':'<t>hello world</t>',
+            'type':'qweb'
+        })
+        view = self.registry('ir.ui.view').browse(self.cr, self.uid, view_id)
+        replacement = 'hello world &amp; &lt;angle brackets&gt;!'
+        view.save(replacement, xpath='/t')
+        self.assertEqual(view.render(), replacement, 'html special characters wrongly escaped')
+
     def test_save_only_embedded(self):
         Company = self.registry('res.company')
         company_id = 1
diff --git a/openerp/addons/base/ir/ir_ui_view.py b/openerp/addons/base/ir/ir_ui_view.py
index 7136c44ee71..2be02332660 100644
--- a/openerp/addons/base/ir/ir_ui_view.py
+++ b/openerp/addons/base/ir/ir_ui_view.py
@@ -945,7 +945,7 @@ class view(osv.osv):
         def get_trans(text):
             if not text or not text.strip():
                 return None
-            text = h.unescape(text.strip())
+            text = text.strip()
             if len(text) < 2 or (text.startswith('<!') and text.endswith('>')):
                 return None
             return translate_func(text)