[IMP] package: update lxml version

Update the version to benefit from the fix for https://github.com/advisories/GHSA-pgww-xf46-h92r https://nvd.nist.gov/vuln/detail/CVE-2020-27783 This vulnerability is reproducible in Odoo with html_sanitize(..., sanitize_tags=False) which does NOT happen for user-facing content. Remove old compatibility check (lxml 3.1 was released in 2013) and cleanup global variables only used once closes odoo/odoo#64248 Signed-off-by: Christophe Monniez (moc) <moc@odoo.com>

[IMP] package: update lxml version
aa07f93e · Martin Trigaux · c80eaa9d · aa07f93e · aa07f93e
Commit aa07f93e authored 4 years ago by Martin Trigaux
--- a/odoo/tools/mail.py
+++ b/odoo/tools/mail.py
@@ -28,13 +28,6 @@ _logger = logging.getLogger(__name__)
 # HTML Sanitizer
 #----------------------------------------------------------

-tags_to_kill = ['base', 'embed', 'frame', 'head', 'iframe', 'link', 'meta',
-                'noscript', 'object', 'script', 'style', 'title']
-
-tags_to_remove = ['html', 'body']
-
-# allow new semantic HTML5 tags
-allowed_tags = clean.defs.tags | frozenset('article bdi section header footer hgroup nav aside figure main'.split() + [etree.Comment])
 safe_attrs = clean.defs.safe_attrs | frozenset(
    ['style',
     'data-o-mail-quote',  # quote detection
@@ -43,6 +36,13 @@ safe_attrs = clean.defs.safe_attrs | frozenset(
     'data-class', 'data-mimetype', 'data-original-src', 'data-original-id', 'data-gl-filter', 'data-quality', 'data-resize-width',
     'data-shape', 'data-shape-colors', 'data-file-name', 'data-original-mimetype',
     ])
+SANITIZE_TAGS = {
+    # allow new semantic HTML5 tags
+    'allow_tags': clean.defs.tags | frozenset('article bdi section header footer hgroup nav aside figure main'.split() + [etree.Comment]),
+    'kill_tags': ['base', 'embed', 'frame', 'head', 'iframe', 'link', 'meta',
+                  'noscript', 'object', 'script', 'style', 'title'],
+    'remove_tags': ['html', 'body'],
+}


 class _Cleaner(clean.Cleaner):
@@ -199,17 +199,9 @@ def html_sanitize(src, silent=True, sanitize_tags=True, sanitize_attributes=Fals
        'processing_instructions': False
    }
    if sanitize_tags:
-        kwargs['allow_tags'] = allowed_tags
-        if etree.LXML_VERSION >= (2, 3, 1):
-            # kill_tags attribute has been added in version 2.3.1
-            kwargs.update({
-                'kill_tags': tags_to_kill,
-                'remove_tags': tags_to_remove,
-            })
-        else:
-            kwargs['remove_tags'] = tags_to_kill + tags_to_remove
+        kwargs.update(SANITIZE_TAGS)

-    if sanitize_attributes and etree.LXML_VERSION >= (3, 1, 0):  # lxml < 3.1.0 does not allow to specify safe_attrs. We keep all attributes in order to keep "style"
+    if sanitize_attributes:  # We keep all attributes in order to keep "style"
        if strip_classes:
            current_safe_attrs = safe_attrs - frozenset(['class'])
        else:

--- a/requirements.txt
+++ b/requirements.txt
@@ -15,9 +15,7 @@ Jinja2==2.10.1; python_version < '3.8'
 # bullseye version, focal patched 2.10
 Jinja2==2.11.2; python_version >= '3.8'
 libsass==0.18.0
-lxml==4.3.2 ; sys_platform != 'win32' and python_version == '3.7'
-lxml==4.6.1 ; sys_platform != 'win32' and python_version > '3.7'
-lxml ; sys_platform == 'win32'
+lxml==4.6.2
 MarkupSafe==1.1.0
 num2words==0.5.6
 ofxparse==0.19