[FIX]tools/mail: fix regex when sanitizing html containing mail address

author Cedric Snauwaert <csn@openerp.com>

Fri, 8 Mar 2013 10:48:50 +0000 (11:48 +0100)

committer Cedric Snauwaert <csn@openerp.com>

Fri, 8 Mar 2013 10:48:50 +0000 (11:48 +0100)
author Cedric Snauwaert <csn@openerp.com>
Fri, 8 Mar 2013 10:48:50 +0000 (11:48 +0100)
committer Cedric Snauwaert <csn@openerp.com>
Fri, 8 Mar 2013 10:48:50 +0000 (11:48 +0100)
diff --git a/openerp/tools/mail.py b/openerp/tools/mail.py

index 7ca9dd7..933c892 100644 (file)
--- a/openerp/tools/mail.py
+++ b/openerp/tools/mail.py
@@ -50,7 +50,7 @@ def html_sanitize(src):
      src = ustr(src, errors='replace')
  
      # html encode email tags
-    part = re.compile(r"(<[^<>]+@[^<>]+>)", re.IGNORECASE | re.DOTALL)
+    part = re.compile(r"(<(([^a<>]|a[^<>\s])[^<>]*)@[^<>]+>)", re.IGNORECASE | re.DOTALL)
      src = part.sub(lambda m: cgi.escape(m.group(1)), src)
      
      # some corner cases make the parser crash (such as <SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> in test_mail)
author	Cedric Snauwaert <csn@openerp.com>
	Fri, 8 Mar 2013 10:48:50 +0000 (11:48 +0100)
committer	Cedric Snauwaert <csn@openerp.com>
	Fri, 8 Mar 2013 10:48:50 +0000 (11:48 +0100)