odoo/odoo#122154
Created by fw-bot
Statuses:
- legal/cla: Contributor License Agreement check
- ci/runbot: Odoo Test Suite
- ci/upgrade_enterprise: Test upgrades for enterprise master
- ci/style: Optional style check. Ignore it only if strictly necessary.
- ci/security: Overridden by @xmo-odoo
- ci/documentation: (runtime 67s)
- label
- odoo-dev:master-16.0-opw-3297237-pivi-elKo-fw
- head
- 3d5754afe6ecdf36eb5e027f8de21cb0e819db8e
- merged
- 3 years ago by Framework (ORM), Piryns Victor (pivi)
| odoo/odoo | |
|---|---|
| 16.0 | #120764 |
| saas-16.1 | #122102 |
| saas-16.2 | #122124 |
| saas-16.3 | #122139 |
| 17.0 | |
| 18.0 | |
| saas-18.2 | |
| saas-18.3 | |
| saas-18.4 | |
| 19.0 | |
| saas-19.1 | |
| saas-19.2 | |
| saas-19.3 | |
| master | #122154 |
[FW][FIX] sale_quotation_builder: checkout product with blockquote description
Current behaviour
If we add a blockquote in the website_description of a product on the e-shop, we cannot checkout the product. Silent HTTP 400 error code, due to an exception raised by
https://github.com/odoo/odoo/blob/bf772181933ce5334da35c8368455963b2478399/odoo/fields.py#L1987-L1993
Expected behaviour
You should be able to checkout products even if they have blockquote in their website_description.
Steps to reproduce
- Install eCommerce, sale_quotation_builder (issue is present only after installing sale_quotation_builder)
- On a product, with the website editor, add a
blockquoteto the description of the product > Save - In a private browser window, as public user, visit the product on the e-shop and try to checkout with it.
- Observe there is no visible error, and we do not proceed in the checkout process.
Reason for the problem
The exception mentioned above is triggered when there is a difference between the html content that is saved in the DB and after sanitization, meaning that someone with escalated privilege saved the HTML content by overriding the sanitization with sanitize_overridable. In our use case the only diff is the presence of the attribute data-o-mail-quote-node which is removed after the sanitization.
Fix
This issue can be resolved two ways:
1) Adding data-o-mail-quote-node to the list of save attributes,
meaning it will not be removed during the sanitization process.
Since this is an attribute that we add on <blockquote> nodes,
it can be considered safe, just like data-o-mail-quote.
2) Remove the attribute sanitization of the website_description,
just like it is done in the website_sale module.
Since the website_description and quotation_description are both
computed from one-another, they should have the same sanitization
level.
I am implementing both solutions, 1) because adding the attribute to the safe list seems safe in general, and may prevent future issues of this sort. 2) because it is the root cause of the issue, since the bug is present only after installation of the sale_quotation_builder module.
Affected versions
- 16.0
- saas-16.1
- saas-16.2
- master
I confirm I have signed the CLA and read the PR guidelines at www.odoo.com/submit-pr
Forward-Port-Of: #120764