From ff23483846daa772d067a494c1046d042feffe05 Mon Sep 17 00:00:00 2001
From: Martin Trigaux <mat@odoo.com>
Date: Fri, 20 Oct 2023 13:55:38 +0200
Subject: [PATCH] [FIX] developer: adapt markup documentation

On how to combine Markup and translations
Note that this does not work before 17.0

closes odoo/documentation#6189

Related: odoo/odoo#139316
Related: odoo/enterprise#49379
Signed-off-by: Martin Trigaux (mat) <mat@odoo.com>
---
 .../developer/reference/backend/security.rst  | 20 +++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/content/developer/reference/backend/security.rst b/content/developer/reference/backend/security.rst
index 5daef4abb..9e6b4c4b0 100644
--- a/content/developer/reference/backend/security.rst
+++ b/content/developer/reference/backend/security.rst
@@ -418,9 +418,9 @@ the content (text).
     Markup('&lt;R&amp;D&gt; <br/> <p>Hello</p>')
     >>> escape("<R&D>")
     Markup('&lt;R&amp;D&gt;')
-    >>> escape(_("List of Tasks on project %s: %s")) % (
+    >>> _("List of Tasks on project %s: %s",
     ...     project.name,
-    ...     Markup("<ul>%s</ul>") % Markup().join([Markup("<li>%s</li>") % t.name for t in project.task_ids])
+    ...     Markup("<ul>%s</ul>") % Markup().join(Markup("<li>%s</li>") % t.name for t in project.task_ids)
     ... )
     Markup('Liste de tâches pour le projet &lt;R&amp;D&gt;: <ul><li>First &lt;R&amp;D&gt; task</li></ul>')
 
@@ -434,6 +434,22 @@ the content (text).
     >>> Markup(f"<p>Foo {self.bar}</p>")  # bad, bar is inserted before escaping
     >>> Markup("<p>Foo {bar}</p>").format(bar=self.bar)  # good, sorry no fstring
 
+When working with translations, it is especially important to separate the HTML
+from the text. The translation methods accepts a :class:`~markupsafe.Markup`
+parameters and will escape the translation if it gets receives at least one.
+
+.. code-block:: pycon
+
+    >>> Markup("<p>%s</p>") % _("Hello <R&D>")
+    Markup('<p>Bonjour &lt;R&amp;D&gt;</p>')
+    >>> _("Order %s has been confirmed", Markup("<a>%s</a>") % order.name)
+    Markup('Order <a>SO42</a> has been confirmed')
+    >>> _("Message received from %(name)s <%(email)s>",
+    ...   name=self.name,
+    ...   email=Markup("<a href='mailto:%s'>%s</a>") % (self.email, self.email)
+    Markup('Message received from Georges &lt;<a href=mailto:george@abitbol.example>george@abitbol.example</a>&gt;')
+
+
 Escaping vs Sanitizing
 ----------------------