Indeed those are escaped when contained inside an href or mailto element
of a tag, leading to mako not rendering the element.
bzr revid: tde@openerp.com-
20140123125137-4u4i88f1ajybg5f2
import socket
import threading
import time
+import xml
from email.utils import getaddresses
import openerp
# some corner cases make the parser crash (such as <SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> in test_mail)
cleaner = clean.Cleaner(**kwargs)
cleaned = cleaner.clean_html(src)
+ # MAKO compatibility: $, { and } inside quotes are escaped, preventing correct mako execution
+ cleaned = xml.sax.saxutils.unescape(cleaned, {'%24': '$', '%7B': '{', '%7D': '}', '%20': ' '})
except etree.ParserError, e:
if 'empty' in str(e):
return ""