[IMP] mail sanitize: add special email address for escape in the sanitizer

bzr revid: chm@openerp.com-20130102090040-yh0vdv8b3mtwoebh

diff --git a/openerp/tests/test_mail.py b/openerp/tests/test_mail.py
index c0ba042..426c980 100644 (file)
--- a/openerp/tests/test_mail.py
+++ b/openerp/tests/test_mail.py
@@ -230,7 +230,7 @@ class TestSanitizer(unittest2.TestCase):
             self.assertNotIn(attr, sanitized_html, 'html_sanitize did not remove enough unwanted attributes')
 
         emails =[("Charles <charles.bidule@truc.fr>", "<p>Charles &lt;charles.bidule@truc.fr&gt;</p>"), 
-                ("Dupuis <'tr/-:dupuis><#><$'@truc.baz.fr>", "<p>Dupuis &lt;'tr/-:dupuis&gt;&lt;#&gt;&lt;$'@truc.baz.fr&gt;</p>"),
+                ("Dupuis <'tr/-: ${dupuis><#><$'@truc.baz.fr>", "<p>Dupuis &lt;'tr/-: ${dupuis&gt;&lt;#&gt;&lt;$'@truc.baz.fr&gt;</p>"),
                 ("Technical <service/technical+2@open.com>", "<p>Technical &lt;service/technical+2@open.com&gt;</p>"),
                 ("Div nico <div-nico@open.com>", "<p>Div nico &lt;div-nico@open.com&gt;</p>")]
         for email in emails:

diff --git a/openerp/tools/mail.py b/openerp/tools/mail.py
index c0dc03b..01b6a7c 100644 (file)
--- a/openerp/tools/mail.py
+++ b/openerp/tools/mail.py
@@ -50,7 +50,7 @@ def html_sanitize(src):
     src = ustr(src, errors='replace')
 
     # html encode email tags
-    part = re.compile(r"(<\s*[^\s]+@[^\s]+\s*>)", re.IGNORECASE | re.DOTALL)
+    part = re.compile(r"(<\s*([^\s]+|'([^']|(?:\\)\\(\\\\)*')+'|\"([^\"]|(?:\\)\\(\\\\)*\")+\")@[^\s]+\s*>)", re.IGNORECASE | re.DOTALL)
     src = part.sub(lambda m: cgi.escape(m.group(1)), src)
     
     # some corner cases make the parser crash (such as <SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> in test_mail)