[FIX] website, base: escaping and unescaping html

When saving a template in version 8.0, html would be saved as it should
be displayed once on the site. In particular, if some text should be
escaped once send to the browser, it will be saved as such.

But when rendering, a text node content is unescaped two times:

* for translation which seems wrong since we already use .text of a node
  which already escaped it, doing it one more time is bad,

* when rendering the template, since the html template is stored in xml,

This commit remove superfluous unescaping for translation, and add an
escaping when saving the changed template content.

closes #7967
opw-646889

addons/website/models/ir_ui_view.py

@@ -7,6 +7,7 @@ from openerp import SUPERUSER_ID, api
 from openerp.addons.website.models import website
 from openerp.http import request
 from openerp.osv import osv, fields
+from openerp.tools import html_escape
 
 class view(osv.osv):
     _inherit = "ir.ui.view"
@@ -119,6 +120,14 @@ class view(osv.osv):
             # ensure there's only one match
             [root] = arch.xpath(section_xpath)
 
+        # html text need to be escaped for xml storage
+        def escape_node(node):
+            node.text = node.text and html_escape(node.text)
+            node.tail = node.tail and html_escape(node.tail)
+        escape_node(replacement)
+        for descendant in replacement.iterdescendants():
+            escape_node(descendant)
+
         root.text = replacement.text
         root.tail = replacement.tail
         # replace all children

addons/website/tests/test_views.py

@@ -174,6 +174,16 @@ class TestViewSaving(common.TransactionCase):
             )
         )
 
+    def test_save_escaped_text(self):
+        view_id = self.registry('ir.ui.view').create(self.cr, self.uid, {
+            'arch':'<t>hello world</t>',
+            'type':'qweb'
+        })
+        view = self.registry('ir.ui.view').browse(self.cr, self.uid, view_id)
+        replacement = 'hello world &amp; &lt;angle brackets&gt;!'
+        view.save(replacement, xpath='/t')
+        self.assertEqual(view.render(), replacement, 'html special characters wrongly escaped')
+
     def test_save_only_embedded(self):
         Company = self.registry('res.company')
         company_id = 1

openerp/addons/base/ir/ir_ui_view.py

@@ -945,7 +945,7 @@ class view(osv.osv):
         def get_trans(text):
             if not text or not text.strip():
                 return None
-            text = h.unescape(text.strip())
+            text = text.strip()
             if len(text) < 2 or (text.startswith('<!') and text.endswith('>')):
                 return None
             return translate_func(text)