[FIX] tools : removing html comments

This commit fixes the malformed comment that would sometimes comment out the rest of the html resulting in an improper display. this is due to the new html5 notation --!> not behing understood by our parser. this commit replaces any --!> into -->. this commit also remove  opw-2812488 closes odoo#125162 X-original-commit: e390601 Signed-off-by: Vranckx Florian (flvr) <flvr@odoo.com>
ngochung207 · Jun 21, 2023 · 74d058e · 74d058e
1 parent 2714469
commit 74d058e
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/odoo/addons/base/tests/test_mail.py b/odoo/addons/base/tests/test_mail.py
@@ -547,3 +547,35 @@ def test_alternative_correct_order(self):
         self.assertEqual(msg_on_the_wire.count('MIME-Version: 1.0'), 3,
             "There should be 3 headers MIME-Version: one on the enveloppe, "
             "one on the html part, one on the text part")
+
+    def test_comment_malformed(self):
+        html = '''<!-- malformed-close --!> <img src='x' onerror='alert(1)'></img> --> comment <!-- normal comment --> --> out of context balise --!>'''
+        html_result = html_sanitize(html)
+        self.assertNotIn('alert(1)', html_result)
+
+    def test_multiline(self):
+        payload = """
+            <div> <!--
+                multi line comment
+                --!> </div> <script> alert(1) </script> -->
+        """
+        html_result = html_sanitize(payload)
+        self.assertNotIn('alert(1)', html_result)
+
+    def test_abrupt_close(self):
+        payload = """<!--> <script> alert(1) </script> -->"""
+        html_result = html_sanitize(payload)
+        self.assertNotIn('alert(1)', html_result)
+
+        payload = """<!---> <script> alert(1) </script> -->"""
+        html_result = html_sanitize(payload)
+        self.assertNotIn('alert(1)', html_result)
+
+    def test_abrut_malformed(self):
+        payload = """<!--!> <script> alert(1) </script> -->"""
+        html_result = html_sanitize(payload)
+        self.assertNotIn('alert(1)', html_result)
+
+        payload = """<!---!> <script> alert(1) </script> -->"""
+        html_result = html_sanitize(payload)
+        self.assertNotIn('alert(1)', html_result)
diff --git a/odoo/tools/mail.py b/odoo/tools/mail.py
@@ -226,6 +226,8 @@ def html_sanitize(src, silent=True, sanitize_tags=True, sanitize_attributes=Fals
         })
 
     try:
+        src = src.replace('--!>', '-->')
+        src = re.sub(r'(<!-->|<!--->)', '<!-- -->', src)
         # some corner cases make the parser crash (such as <SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> in test_mail)
         cleaner = _Cleaner(**kwargs)
         cleaned = cleaner.clean_html(src)