[FIX] base: use address_format in layout designer

In task-2355704 changes were made to the pdf layout designer to allow more flexibility when setting company data. However, for the default values of both company_details and report_footer, the data wasn't being escaped, therefore offering security risks. Also, they didn't take into account the address_format when computing the default value. This PR implements Markup usage in the html fields and fixes _default_company_details to use the set address_format. closes odoo/odoo#78652 Signed-off-by: Olivier Dony (odo) <odo@openerp.com>

[FIX] base: use address_format in layout designer
83aeb8fb · Leonardo Pavan Rocha · 02fb0c7c · 83aeb8fb
Commit 83aeb8fb authored 3 years ago by Leonardo Pavan Rocha
--- a/addons/web/models/base_document_layout.py
+++ b/addons/web/models/base_document_layout.py
 # -*- coding: utf-8 -*-
 from PIL import Image
+from markupsafe import Markup

 from odoo import api, fields, models, tools

+from odoo.addons.base.models.ir_qweb_fields import nl2br
 from odoo.modules import get_resource_path

 try:
@@ -27,18 +29,26 @@ class BaseDocumentLayout(models.TransientModel):
    @api.model
    def _default_report_footer(self):
        company = self.env.company
-        footer_fields = filter(None, [company.phone, company.email, company.website, company.vat])
-        return ' '.join(footer_fields)
+        footer_fields = [field for field in [company.phone, company.email, company.website, company.vat] if isinstance(field, str) and len(field) > 0]
+        return Markup(' ').join(footer_fields)

    @api.model
    def _default_company_details(self):
        company = self.env.company
-        return (
-            f'{company.name}\n'
-            f'{company.street}\n'
-            f'{company.city} {company.state_id.name} {company.zip}\n'
-            f'{company.country_id.name}\n'
-        )
+        default_address_format = "%(company_name)s\n%(street)s\n%(city)s %(state_code)s %(zip)s\n%(country_name)s"
+        address_format = company.country_id.address_format or default_address_format
+        if 'company_name' not in address_format:
+            address_format = '%(company_name)s\n' + address_format
+        company_data = {
+            "company_name": company.name or "",
+            "street": company.street or "",
+            "street2": "",
+            "city": company.city or "",
+            "state_code": company.state_id.name or "",
+            "zip": company.zip or "",
+            "country_name": company.country_id.name or "",
+        }
+        return Markup(nl2br(address_format)) % company_data

    company_id = fields.Many2one(
        'res.company', default=lambda self: self.env.company, required=True)