[FIX] tools : removing html comments

This commit fixes the malformed comment that would sometimes comment out the rest of the html resulting in an improper display. this is due to the new html5 notation --!> not behing understood by our parser. this commit replaces any --!> into -->. this commit also remove  opw-2812488 closes odoo/odoo#125183 X-original-commit: e3906018 Signed-off-by: Vranckx Florian (flvr) <flvr@odoo.com>

[FIX] tools : removing html comments
4fed0c36 · flvr-odoo · 7efefd26 · 4fed0c36 · 4fed0c36
Commit 4fed0c36 authored 1 year ago by flvr-odoo
--- a/odoo/addons/base/tests/test_mail.py
+++ b/odoo/addons/base/tests/test_mail.py
@@ -561,3 +561,35 @@ class TestEmailMessage(TransactionCase):
        self.assertEqual(msg_on_the_wire.count('MIME-Version: 1.0'), 3,
            "There should be 3 headers MIME-Version: one on the enveloppe, "
            "one on the html part, one on the text part")
+
+    def test_comment_malformed(self):
+        html = '''<!-- malformed-close --!> <img src='x' onerror='alert(1)'></img> --> comment <!-- normal comment --> --> out of context balise --!>'''
+        html_result = html_sanitize(html)
+        self.assertNotIn('alert(1)', html_result)
+
+    def test_multiline(self):
+        payload = """
+            <div> <!--
+                multi line comment
+                --!> </div> <script> alert(1) </script> -->
+        """
+        html_result = html_sanitize(payload)
+        self.assertNotIn('alert(1)', html_result)
+
+    def test_abrupt_close(self):
+        payload = """<!--> <script> alert(1) </script> -->"""
+        html_result = html_sanitize(payload)
+        self.assertNotIn('alert(1)', html_result)
+
+        payload = """<!---> <script> alert(1) </script> -->"""
+        html_result = html_sanitize(payload)
+        self.assertNotIn('alert(1)', html_result)
+
+    def test_abrut_malformed(self):
+        payload = """<!--!> <script> alert(1) </script> -->"""
+        html_result = html_sanitize(payload)
+        self.assertNotIn('alert(1)', html_result)
+
+        payload = """<!---!> <script> alert(1) </script> -->"""
+        html_result = html_sanitize(payload)
+        self.assertNotIn('alert(1)', html_result)
--- a/odoo/tools/mail.py
+++ b/odoo/tools/mail.py
@@ -199,6 +199,8 @@ def html_normalize(src, filter_callback=None):
    src = doctype.sub(u"", src)

    try:
+        src = src.replace('--!>', '-->')
+        src = re.sub(r'(<!-->|<!--->)', '<!-- -->', src)
        doc = html.fromstring(src)
    except etree.ParserError as e:
        # HTML comment only string, whitespace only..