From 9dd5bb4798d17f63a244e792a1fd1deda066662c Mon Sep 17 00:00:00 2001
From: SergiCForgeFlow <sergi.casau@forgeflow.com>
Date: Thu, 10 Aug 2023 12:55:29 +0200
Subject: [PATCH] [FIX] document_page: Stored XSS

---
 document_page/models/document_page.py     |  2 +-
 document_page/tests/test_document_page.py | 16 +++++++++++-----
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/document_page/models/document_page.py b/document_page/models/document_page.py
index 79f00374..e71e062d 100644
--- a/document_page/models/document_page.py
+++ b/document_page/models/document_page.py
@@ -27,7 +27,7 @@ class DocumentPage(models.Model):
         "document.page", "Category", domain=[("type", "=", "category")]
     )
     child_ids = fields.One2many("document.page", "parent_id", "Children")
-    content = fields.Text(
+    content = fields.Html(
         "Content",
         compute="_compute_content",
         inverse="_inverse_content",
diff --git a/document_page/tests/test_document_page.py b/document_page/tests/test_document_page.py
index 4b994bb1..9abcf28b 100644
--- a/document_page/tests/test_document_page.py
+++ b/document_page/tests/test_document_page.py
@@ -15,10 +15,10 @@ class TestDocumentPage(common.TransactionCase):
             {
                 "name": "Test Page 1",
                 "parent_id": self.category1.id,
-                "content": "Test content",
+                "content": "<p>Test content</p>",
             }
         )
-        self.assertEqual(page.content, "Test content")
+        self.assertEqual(page.content, "<p>Test content</p>")
         self.assertEqual(len(page.history_ids), 1)
         page.content = "New content for Demo Page"
         self.assertEqual(len(page.history_ids), 2)
@@ -35,12 +35,16 @@ class TestDocumentPage(common.TransactionCase):
         self.assertEqual(page.content, self.category1.template)
 
     def test_page_history_diff(self):
-        page = self.page_obj.create({"name": "Test Page 3", "content": "Test content"})
+        page = self.page_obj.create(
+            {"name": "Test Page 3", "content": "<p>Test content</p>"}
+        )
         page.content = "New content"
         self.assertIsNotNone(page.history_ids[0].diff)
 
     def test_page_link(self):
-        page = self.page_obj.create({"name": "Test Page 3", "content": "Test content"})
+        page = self.page_obj.create(
+            {"name": "Test Page 3", "content": "<p>Test content</p>"}
+        )
         self.assertEqual(
             page.backend_url,
             "/web#id={}&model=document.page&view_type=form".format(page.id),
@@ -55,7 +59,9 @@ class TestDocumentPage(common.TransactionCase):
         )
 
     def test_page_copy(self):
-        page = self.page_obj.create({"name": "Test Page 3", "content": "Test content"})
+        page = self.page_obj.create(
+            {"name": "Test Page 3", "content": "<p>Test content</p>"}
+        )
         page_copy = page.copy()
         self.assertEqual(page_copy.name, page.name + " (copy)")
         self.assertEqual(page_copy.content, page.content)