[14.0][FIX] document_page: Stored XSS

unitary tests added post-migration script added
2025-12-22 13:22:19 -06:00 · 2023-08-10 12:55:29 +02:00
parent d1b2e58312
commit eda3c2a1cb
9 changed files with 52 additions and 15 deletions
--- a/document_page/tests/init.py
+++ b/document_page/tests/init.py
@@ -4,3 +4,4 @@ from . import test_document_page
 from . import test_document_page_create_menu
 from . import test_document_page_history
 from . import test_document_page_show_diff
+from . import test_document_page_content_sanitized
--- a/document_page/tests/test_document_page.py
+++ b/document_page/tests/test_document_page.py
@@ -15,10 +15,10 @@ class TestDocumentPage(common.TransactionCase):
            {
                "name": "Test Page 1",
                "parent_id": self.category1.id,
-                "content": "Test content",
+                "content": "<p>Test content</p>",
            }
        )
-        self.assertEqual(page.content, "Test content")
+        self.assertEqual(page.content, "<p>Test content</p>")
        self.assertEqual(len(page.history_ids), 1)
        page.content = "New content for Demo Page"
        self.assertEqual(len(page.history_ids), 2)
@@ -35,12 +35,16 @@ class TestDocumentPage(common.TransactionCase):
        self.assertEqual(page.content, self.category1.template)

    def test_page_history_diff(self):
-        page = self.page_obj.create({"name": "Test Page 3", "content": "Test content"})
+        page = self.page_obj.create(
+            {"name": "Test Page 3", "content": "<p>Test content</p>"}
+        )
        page.content = "New content"
        self.assertIsNotNone(page.history_ids[0].diff)

    def test_page_link(self):
-        page = self.page_obj.create({"name": "Test Page 3", "content": "Test content"})
+        page = self.page_obj.create(
+            {"name": "Test Page 3", "content": "<p>Test content</p>"}
+        )
        self.assertEqual(
            page.backend_url,
            "/web#id={}&model=document.page&view_type=form".format(page.id),
@@ -55,7 +59,9 @@ class TestDocumentPage(common.TransactionCase):
        )

    def test_page_copy(self):
-        page = self.page_obj.create({"name": "Test Page 3", "content": "Test content"})
+        page = self.page_obj.create(
+            {"name": "Test Page 3", "content": "<p>Test content</p>"}
+        )
        page_copy = page.copy()
        self.assertEqual(page_copy.name, page.name + " (copy)")
        self.assertEqual(page_copy.content, page.content)
--- a/document_page/tests/test_document_page_content_sanitized.py
+++ b/document_page/tests/test_document_page_content_sanitized.py
@@ -0,0 +1,24 @@
+from odoo.tests import common
+
+
+class TestDocumentContentSanitized(common.TransactionCase):
+    def setUp(self):
+        super(TestDocumentContentSanitized, self).setUp()
+        self.page_obj = self.env["document.page"]
+        self.category1 = self.env.ref("document_page.demo_category1")
+
+    def test_page_content_sanitized(self):
+        malicious_page = self.page_obj.create(
+            {
+                "name": "Malicious Page",
+                "parent_id": self.category1.id,
+                "content": "<p>Test content</p><script> alert(1)</script>",
+            }
+        )
+        self.assertEqual(malicious_page.content, "<p>Test content</p>")
+
+        malicious_page.write(
+            {"content": "<p>Test content</p><script> alert(1)</script>"}
+        )
+
+        self.assertEqual(malicious_page.content, "<p>Test content</p>")