[FIX] sale_quotation_builder: checkout product w/ quote description

Current behaviour: If we add a blockquote in the `website_description` of a product on the e-shop, we cannot checkout the product. Silent HTTP 400 error code, due to an exception raised by https://github.com/odoo/odoo/blob/bf772181933ce5334da35c8368455963b2478399/odoo/fields.py#L1987-L1993 Expected behaviour: You should be able to checkout products even if they have blockquote in their `website_description`. Steps to reproduce: - Install eCommerce, sale_quotation_builder (issue is present only after installing sale_quotation_builder) - On a product, with the website editor, add a `blockquote` to the description of the product > Save - In a private browser window, as public user, visit the product on the e-shop and try to checkout with it. - Observe there is no visible error, and we do not proceed in the checkout process. Reason for the problem: The exception mentioned above is triggered when there is a difference between the html content that is saved in the DB and after sanitization, meaning that someone with escalated privilege saved the HTML content by overriding the sanitization with `sanitize_overridable`. In our use case the only diff is the presence of the attribute `data-o-mail-quote-node` which is removed after the sanitization. Fix: This issue can be resolved two ways: 1) Adding `data-o-mail-quote-node` to the list of save attributes, meaning it will not be removed during the sanitization process. Since this is an attribute that we add on `<blockquote>` nodes, it can be considered safe, just like `data-o-mail-quote`. 2) Remove the attribute sanitization of the `website_description`, just like it is done in the website_sale module. Since the `website_description` and `quotation_description` are both computed from one-another, they should have the same sanitization level. I am implementing both solutions, 1) because adding the attribute to the safe list seems safe in general, and may prevent future issues of this sort. 2) because it is the root cause of the issue, since the bug is present only after installation of the `sale_quotation_builder` module. Affected versions: - 16.0 - saas-16.1 - saas-16.2 - master opw-3297237 closes odoo/odoo#120764 Signed-off-by: Xavier Morel (xmo) <xmo@odoo.com>

[FIX] sale_quotation_builder: checkout product w/ quote description
23022144 · Victor Piryns (pivi) · 23f67ca5 · 23022144 · 23022144
Commit 23022144 authored 1 year ago by Victor Piryns (pivi)
--- a/addons/sale_quotation_builder/models/sale_order_line.py
+++ b/addons/sale_quotation_builder/models/sale_order_line.py
@@ -14,7 +14,7 @@ class SaleOrderLine(models.Model):
        store=True, readonly=False, precompute=True,
        sanitize_overridable=True,
        translate=html_translate,
-        sanitize_form=False)
+        sanitize_attributes=False)

    @api.depends('product_id')
    def _compute_website_description(self):

--- a/odoo/tools/mail.py
+++ b/odoo/tools/mail.py
@@ -30,7 +30,7 @@ _logger = logging.getLogger(__name__)

 safe_attrs = clean.defs.safe_attrs | frozenset(
    ['style',
-     'data-o-mail-quote',  # quote detection
+     'data-o-mail-quote', 'data-o-mail-quote-node',  # quote detection
     'data-oe-model', 'data-oe-id', 'data-oe-field', 'data-oe-type', 'data-oe-expression', 'data-oe-translation-initial-sha', 'data-oe-nodeid',
     'data-last-history-steps',
     'data-publish', 'data-id', 'data-res_id', 'data-interval', 'data-member_id', 'data-scroll-background-ratio', 'data-view-id',