Skip to content

Commit b4b7704

Browse files
aboo-odooaboo-odoo
committed
[FIX] base: tests t-att-href malicious code
task-5129524
1 parent f53ba4c commit b4b7704

File tree

1 file changed

+29
-0
lines changed

1 file changed

+29
-0
lines changed

odoo/addons/base/tests/test_qweb.py

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,35 @@ def test_xss_breakout(self):
9595
doc = etree.fromstring(rendered)
9696
self.assertEqual(len(doc.xpath('//script')), 1)
9797

98+
def test_url_xss(self):
99+
# Fully static nodes allow for javascript scheme
100+
rendered = self.env['ir.qweb']._render(etree.fromstring('''<a href="javascript:alert('Hello World!')"/>'''))
101+
self.assertIn('href="javascript:', rendered)
102+
103+
# Dynamic nodes DO NOT allow for javascript scheme
104+
rendered = self.env['ir.qweb']._render(etree.fromstring('''<a href="javascript:alert('Hello World!')" t-out="name"/>'''), values={"name": "Hello"})
105+
self.assertNotIn('href="javascript:', rendered)
106+
rendered = self.env['ir.qweb']._render(etree.fromstring('<a t-att-href="url"/>'), values={"url": "javascript:alert('Hello World!')"})
107+
self.assertNotIn('href="javascript:', rendered)
108+
rendered = self.env['ir.qweb']._render(etree.fromstring('<a t-att-href="url"/>'), values={"url": " javascript:alert('Hello World!')"})
109+
self.assertNotIn('href="javascript:', rendered)
110+
rendered = self.env['ir.qweb']._render(etree.fromstring('<a t-attf-href="#{url}"/>'), values={"url": "javascript:alert('Hello World!')"})
111+
self.assertNotIn('href="javascript:', rendered)
112+
113+
# history.back() exception
114+
rendered = self.env['ir.qweb']._render(etree.fromstring('<a t-att-href="url"/>'), values={"url": "javascript:window.history.back()"})
115+
self.assertIn('href="javascript:', rendered)
116+
rendered = self.env['ir.qweb']._render(etree.fromstring('<a t-att-href="url"/>'), values={"url": "javascript: window.history.back()"})
117+
self.assertIn('href="javascript:', rendered)
118+
rendered = self.env['ir.qweb']._render(etree.fromstring('<a t-att-href="url"/>'), values={"url": "javascript:history.back()"})
119+
self.assertIn('href="javascript:', rendered)
120+
rendered = self.env['ir.qweb']._render(etree.fromstring('<a t-att-href="url"/>'), values={"url": "javascript: history.back()"})
121+
self.assertIn('href="javascript:', rendered)
122+
rendered = self.env['ir.qweb']._render(etree.fromstring('<a t-att-href="url"/>'), values={"url": "javascript:alert('Hello World!');window.history.back()"})
123+
self.assertNotIn('href="javascript:', rendered)
124+
rendered = self.env['ir.qweb']._render(etree.fromstring('<a t-att-href="url"/>'), values={"url": "javascript:window.history.back();alert('Hello World!')"})
125+
self.assertNotIn('href="javascript:', rendered)
126+
98127
def test_default_value(self):
99128
Partner = self.env['res.partner']
100129
t = self.env['ir.ui.view'].create({

0 commit comments

Comments
 (0)