diff --git a/report_py3o/models/py3o_report.py b/report_py3o/models/py3o_report.py index 78db12ea..1e2866c3 100644 --- a/report_py3o/models/py3o_report.py +++ b/report_py3o/models/py3o_report.py @@ -7,6 +7,7 @@ from base64 import b64decode from cStringIO import StringIO import logging import os +import cgi from contextlib import closing import subprocess @@ -64,8 +65,7 @@ def py3o_report_extender(report_xml_id=None): def format_multiline_value(value): if value: - return Markup(value.replace('<', '<').replace('>', '>'). - replace('\n', ''). + return Markup(cgi.escape(value).replace('\n', ''). replace('\t', '')) return "" diff --git a/report_py3o/tests/test_report_py3o.py b/report_py3o/tests/test_report_py3o.py index 0d85dff7..2cf49550 100644 --- a/report_py3o/tests/test_report_py3o.py +++ b/report_py3o/tests/test_report_py3o.py @@ -15,8 +15,16 @@ from odoo import tools from odoo.tests.common import TransactionCase from odoo.exceptions import ValidationError -from ..models.py3o_report import TemplateNotFound +from ..models.py3o_report import TemplateNotFound, format_multiline_value from base64 import b64encode +import logging + +logger = logging.getLogger(__name__) + +try: + from genshi.core import Markup +except ImportError: + logger.debug('Cannot import genshi.core') @contextmanager @@ -188,3 +196,7 @@ class TestReportPy3o(TransactionCase): # non exising files are not valid template self.assertFalse(self.py3o_report._get_template_from_path( '/etc/test.odt')) + + def test_escape_html_characters_format_multiline_value(self): + self.assertEqual(Markup('<>&test;'), + format_multiline_value('<>\n&test;'))