# -*- coding: utf-8 -*-
# Part of Odoo. See LICENSE file for full copyright and licensing details.
from unittest.mock import patch
import email.policy
import email.message
import re
import threading
from odoo.addons.base.models.ir_mail_server import extract_rfc2822_addresses
from odoo.tests.common import BaseCase, TransactionCase
from odoo.tests import tagged
from odoo.tools import (
is_html_empty, html_to_inner_content, html_sanitize, append_content_to_html, plaintext2html,
email_domain_normalize, email_normalize, email_split, email_split_and_format, html2plaintext,
misc, formataddr, email_anonymize,
prepend_html_content,
config,
)
from . import test_mail_examples
class TestSanitizer(BaseCase):
""" Test the html sanitizer that filters html to remove unwanted attributes """
def test_basic_sanitizer(self):
cases = [
("yop", "yop
"), # simple
("lalayop
xxx", "lala
yop
xxx"), # trailing text
("Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci",
u"Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci
"), # unicode
]
for content, expected in cases:
html = html_sanitize(content)
self.assertEqual(html, expected, 'html_sanitize is broken')
def test_evil_malicious_code(self):
# taken from https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Tests
cases = [
(")
"), # no quotes and semicolons
(""), # UTF-8 Unicode encoding
(""), # hex encoding
("![](\"jav
ascript:alert('XSS');\")
"), # embedded carriage return
("![](\"jav
ascript:alert('XSS');\")
"), # embedded newline
("![](\"jav)
"), # embedded tab
("![](\"jav ascript:alert('XSS');\")
"), # embedded encoded tab
("![](\")
"), # spaces and meta-characters
("![](\"javascript:alert('XSS')\""),)
\">"), # malformed tag
(""), # non-alpha-non-digits
(""), # non-alpha-non-digits
("<"), # extraneous open brackets
(" -->"""
html_result = html_sanitize(payload)
self.assertNotIn('alert(1)', html_result)
payload = """ -->"""
html_result = html_sanitize(payload)
self.assertNotIn('alert(1)', html_result)
def test_abrut_malformed(self):
payload = """"""
html_result = html_sanitize(payload)
self.assertNotIn('alert(1)', html_result)
payload = """"""
html_result = html_sanitize(payload)
self.assertNotIn('alert(1)', html_result)
class TestMailTools(BaseCase):
""" Test mail utility methods. """
def test_html2plaintext(self):
self.assertEqual(html2plaintext(False), 'False')
self.assertEqual(html2plaintext('\t'), '')
self.assertEqual(html2plaintext(' '), '')
self.assertEqual(html2plaintext("""Title
Sub title
Sub sub title
Sub sub sub title
Paragraph with bold
| table element 1 |
| table element 2 |
0 < 10 & 10 > 0
"""),
"""**Title**
**Sub title**
*Sub sub title*
Sub sub sub title
Paragraph /with/ *bold*
table element 1
table element 2
0 < 10 & \N{NO-BREAK SPACE} 10 > 0""")
self.assertEqual(html2plaintext('
'),
"""test-image [1]
[1] /web/image/428-c064ab1b/test-image.jpg?access_token=f72b5ec5-a363-45fb-b9ad-81fc794d6d7b""")