← Back to team overview

openerp-india team mailing list archive

  1. openerp-india team
  2. Mailing list archive
  3. Message #11423

[Bug 998848] Re: 6.1: Unescaped XML attributes in res_users.py:update_user_groups_view

  Thread PreviousDate PreviousThread Next 
*** This bug is a duplicate of bug 976685 ***
    https://bugs.launchpad.net/bugs/976685

** This bug has been marked a duplicate of bug 976685
   Wrong XML generation break the code on res_user.py when duplicating/creating new group

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/998848

Title:
  6.1: Unescaped XML attributes in res_users.py:update_user_groups_view

Status in OpenERP Addons (modules):
  New

Bug description:
  Dear Sirs,

  I have an easy test case to try:

  1. Install 6.1

  2. Install Accounting & Finance module

  3. Restart openerp (just in case, not really needed I guess)

  4. Login as admin again

  5. Go to Users -> Roles -> Pick any Accounting role (not editing, just
  to view)

  6. Once in the accounting role, click the button to Duplicate

  7. You will see this error (extracted from the openerp-server.log
  itself, although the UI shows pretty much the same thing):

  2012-05-13 17:14:14,623 18856 ERROR ? openerp.osv.osv: Uncaught exception
  Traceback (most recent call last):
    File "/usr/lib/pymodules/python2.6/openerp/osv/osv.py", line 121, in wrapper
      return f(self, dbname, *args, **kwargs)
    File "/usr/lib/pymodules/python2.6/openerp/osv/osv.py", line 176, in execute
      res = self.execute_cr(cr, uid, obj, method, *args, **kw)
    File "/usr/lib/pymodules/python2.6/openerp/osv/osv.py", line 164, in execute_cr
      return getattr(object, method)(cr, uid, *args, **kw)
    File "/usr/lib/pymodules/python2.6/openerp/addons/base/res/res_users.py", line 83, in copy
      return super(groups, self).copy(cr, uid, id, default, context)
    File "/usr/lib/pymodules/python2.6/openerp/osv/orm.py", line 4732, in copy
      new_id = self.create(cr, uid, data, context)
    File "/usr/lib/pymodules/python2.6/openerp/addons/base/res/res_users.py", line 727, in create
      res = super(groups_view, self).create(cr, uid, values, context)
    File "/usr/lib/pymodules/python2.6/openerp/addons/base/res/res_users.py", line 637, in create
      self.write(cr, uid, [gid], {'users': users}, context)
    File "/usr/lib/pymodules/python2.6/openerp/addons/base/res/res_users.py", line 733, in write
      self.update_user_groups_view(cr, uid, context)
    File "/usr/lib/pymodules/python2.6/openerp/addons/base/res/res_users.py", line 768, in update_user_groups_view
      view.write({'arch': xml % ('\n'.join(xml1), '\n'.join(xml2))})
    File "/usr/lib/pymodules/python2.6/openerp/osv/orm.py", line 368, in function_proxy
      return attr(self._cr, self._uid, [self._id], *args, **kwargs)
    File "/usr/lib/pymodules/python2.6/openerp/addons/base/ir/ir_ui_view.py", line 117, in write
      result = super(view, self).write(cr, uid, ids, vals, context)
    File "/usr/lib/pymodules/python2.6/openerp/osv/orm.py", line 3943, in write
      self._validate(cr, user, ids, context)
    File "/usr/lib/pymodules/python2.6/openerp/osv/orm.py", line 1448, in _validate
      if not fun(self, cr, uid, ids):
    File "/usr/lib/pymodules/python2.6/openerp/addons/base/ir/ir_ui_view.py", line 78, in _check_xml
      eview = etree.fromstring(view.arch.encode('utf8'))
    File "lxml.etree.pyx", line 2532, in lxml.etree.fromstring (src/lxml/lxml.etree.c:48634)
    File "parser.pxi", line 1545, in lxml.etree._parseMemoryDocument (src/lxml/lxml.etree.c:72245)
    File "parser.pxi", line 1424, in lxml.etree._parseDoc (src/lxml/lxml.etree.c:71106)
    File "parser.pxi", line 938, in lxml.etree._BaseParser._parseDoc (src/lxml/lxml.etree.c:67875)
    File "parser.pxi", line 539, in lxml.etree._ParserContext._handleParseResultDoc (src/lxml/lxml.etree.c:64257)
    File "parser.pxi", line 625, in lxml.etree._handleParseResult (src/lxml/lxml.etree.c:65178)
    File "parser.pxi", line 565, in lxml.etree._raiseParseError (src/lxml/lxml.etree.c:64521)
  XMLSyntaxError: xmlParseEntityRef: no name, line 11, column 31
  2012-05-13 17:14:14,630 18856 ERROR ? openerp.netsvc: xmlParseEntityRef: no name, line 11, column 31
  2012-05-13 17:14:14,634 18856 INFO ? werkzeug: 127.0.0.1 - - [13/May/2012 17:14:14] "POST /web/dataset/call HTTP/1.1" 200 -

  
  The key part should be "xmlParseEntityRef: no name, line 11, column 31", which seems to come from some XML generated by res_users.py:update_user_groups_view. In order to see the XML I just added a logging line and the output was:

  <?xml version="1.0" encoding="utf-8"?>
  <!-- GENERATED AUTOMATICALLY BY GROUPS -->
  <field name="groups_id" position="replace">
  <separator string="Applications" colspan="4"/>
  <field name="sel_groups_7_8"/>
  <newline/>
  <field name="sel_groups_3"/>
  <newline/>
  <field name="sel_groups_1_2"/>
  <newline/>
  <separator string="Accounting & Finance" colspan="4"/>
  <field name="in_group_13"/>
  <field name="in_group_14"/>
  <field name="in_group_15"/>
  <field name="in_group_22"/>
  <separator string="Usability" colspan="4"/>
  <field name="in_group_4"/>
  <field name="in_group_5"/>
  <field name="in_group_6"/>
  <field name="in_group_10"/>
  <field name="in_group_11"/>
  <field name="in_group_12"/>
  <separator string="Other" colspan="4"/>
  <field name="in_group_9"/>
  </field>

  Where line 11 corresponds to:

  <separator string="Accounting & Finance" colspan="4"/>

  So the issue is clearly lack of XML escaping in the attribute values,
  for special character '&' (which has the special meaning of denoting
  the beginning of an XML entity, like %apos; , hence the parser
  complain about lacking a name for it).

  This can be easily solved by escaping all the values of the XML
  attributes that the offending function generates. For example,
  assuming we have imported "escape" function from xml.sax.saxutils, we
  can do something like:

        xml1, xml2 = [], []
              xml1.append('<separator string="%s" colspan="4"/>'
                                   % escape(_('Applications')))
              for app, kind, gs in self.get_groups_by_application(cr, uid, context):
                  if kind == 'selection':
                      # application name with a selection field                           
                      field_name = name_selection_groups(map(int, gs))
                      xml1.append('<field name="%s"/>' % escape(field_name))
                      xml1.append('<newline/>')
                  else:
                      # application separator with boolean fields                         
                      app_name = app and app.name or _('Other')
                      xml2.append('<separator string="%s" colspan="4"/>' %
                                           escape(app_name))
                      for g in gs:
                          field_name = name_boolean_group(g.id)
                          xml2.append('<field name="%s"/>' %
                                               escape(field_name))
              view.write({'arch': xml % ('\n'.join(xml1), '\n'.join(xml2))})
   

  Above snippet was tried locally and no error was produced (the
  Accounting role was successfully copied).

  Please fix accordingly, or let me know if you want me to go and fix
  myself (the "escape" function is just a suggestion, there may be other
  options).

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/998848/+subscriptions

References

  Thread PreviousDate PreviousThread Next