test(spp_audit,spp_change_request_v2): add HTML escaping coverage tests

Verify that computed Html fields properly escape XSS payloads in
dynamic values (script tags, img onerror, etc.) for audit logs,
change request previews, registrant summaries, and preview wizard.

Author: gonzalesedwin1123

spp_audit/tests/__init__.py

@@ -1,2 +1,3 @@
 from . import test_audit_backend
+from . import test_html_escaping
 from . import test_spp_audit_rule

spp_audit/tests/test_html_escaping.py

@@ -0,0 +1,89 @@
+from odoo.tests.common import TransactionCase
+
+
+class TestAuditHtmlEscaping(TransactionCase):
+    """Tests that audit log HTML fields properly escape dynamic values."""
+
+    @classmethod
+    def setUpClass(cls):
+        super().setUpClass()
+        cls.model_partner = cls.env["ir.model"].search([("model", "=", "res.partner")], limit=1)
+        cls.audit_rule = cls.env["spp.audit.rule"].search([("model_id", "=", cls.model_partner.id)], limit=1)
+        if not cls.audit_rule:
+            cls.audit_rule = cls.env["spp.audit.rule"].create(
+                {
+                    "name": "Test Rule",
+                    "model_id": cls.model_partner.id,
+                    "is_log_create": True,
+                    "is_log_write": True,
+                    "is_log_unlink": False,
+                }
+            )
+
+    def _create_audit_log(self, old_vals, new_vals):
+        """Create an audit log record with given old/new values."""
+        data = repr({"old": old_vals, "new": new_vals})
+        return self.env["spp.audit.log"].create(
+            {
+                "audit_rule_id": self.audit_rule.id,
+                "user_id": self.env.uid,
+                "model_id": self.model_partner.id,
+                "res_id": 1,
+                "method": "write",
+                "data": data,
+            }
+        )
+
+    def test_data_html_escapes_script_tags(self):
+        """Verify data_html escapes <script> in field values."""
+        xss_payload = '<script>alert("xss")</script>'
+        log = self._create_audit_log(
+            old_vals={"name": "Safe Name"},
+            new_vals={"name": xss_payload},
+        )
+        html = log.data_html
+        self.assertNotIn("<script>", html)
+        self.assertIn("&lt;script&gt;", html)
+
+    def test_data_html_escapes_html_entities(self):
+        """Verify data_html escapes angle brackets and ampersands."""
+        log = self._create_audit_log(
+            old_vals={"name": "Before <b>bold</b>"},
+            new_vals={"name": "After <img src=x onerror=alert(1)>"},
+        )
+        html = log.data_html
+        self.assertNotIn("<img ", html)
+        self.assertIn("&lt;img ", html)
+        self.assertNotIn("<b>bold</b>", html)
+        self.assertIn("&lt;b&gt;bold&lt;/b&gt;", html)
+
+    def test_data_html_renders_table_structure(self):
+        """Verify data_html still produces valid table structure."""
+        log = self._create_audit_log(
+            old_vals={"name": "Old"},
+            new_vals={"name": "New"},
+        )
+        html = log.data_html
+        self.assertIn("<table", html)
+        self.assertIn("<thead>", html)
+        self.assertIn("<tbody>", html)
+        self.assertIn("<td>", html)
+
+    def test_parent_data_html_escapes_script_tags(self):
+        """Verify parent_data_html escapes <script> in field values."""
+        xss_payload = '<script>alert("xss")</script>'
+        parent_model = self.env["ir.model"].search([("model", "=", "res.partner")], limit=1)
+        log = self.env["spp.audit.log"].create(
+            {
+                "audit_rule_id": self.audit_rule.id,
+                "user_id": self.env.uid,
+                "model_id": self.model_partner.id,
+                "res_id": 1,
+                "method": "write",
+                "data": repr({"old": {"name": "Safe"}, "new": {"name": xss_payload}}),
+                "parent_model_id": parent_model.id,
+                "parent_res_ids_str": "1",
+            }
+        )
+        html = log.parent_data_html
+        self.assertNotIn("<script>", html)

spp_change_request_v2/tests/__init__.py

@@ -23,3 +23,5 @@
 from . import test_approval_hooks_and_audit
 from . import test_dynamic_approval
 from . import test_conflict_dynamic_approval
+from . import test_html_escaping
+from . import test_wizard_html_escaping

spp_change_request_v2/tests/test_html_escaping.py

@@ -0,0 +1,141 @@
+from unittest.mock import patch
+
+from odoo.tests import tagged
+
+from .test_change_request import TestChangeRequestBase
+
+
+@tagged("post_install", "-at_install")
+class TestHtmlEscaping(TestChangeRequestBase):
+    """Tests that computed HTML fields properly escape dynamic values."""
+
+    def _create_cr(self, registrant=None, cr_type=None):
+        """Helper to create a CR for testing."""
+        vals = {
+            "request_type_id": (cr_type or self.cr_type_add_member).id,
+        }
+        if registrant is not False:
+            vals["registrant_id"] = (registrant or self.group).id
+        return self.cr_model.create(vals)
+
+    def test_registrant_summary_escapes_name(self):
+        """Verify registrant_summary_html escapes XSS in registrant name."""
+        xss_name = '<script>alert("xss")</script>'
+        registrant = self.partner_model.create(
+            {
+                "name": xss_name,
+                "is_registrant": True,
+                "is_group": False,
+            }
+        )
+        cr = self._create_cr(registrant=registrant)
+        cr.invalidate_recordset()
+        html = cr.registrant_summary_html
+        self.assertNotIn("<script>", html)
+        self.assertIn("&lt;script&gt;", html)
+
+    def test_registrant_summary_escapes_address(self):
+        """Verify registrant_summary_html escapes XSS in street/city."""
+        registrant = self.partner_model.create(
+            {
+                "name": "Safe Name",
+                "is_registrant": True,
+                "is_group": False,
+                "street": '<img src=x onerror=alert(1)>',
+                "city": '<b onmouseover=alert(2)>City</b>',
+            }
+        )
+        cr = self._create_cr(registrant=registrant)
+        cr.invalidate_recordset()
+        html = cr.registrant_summary_html
+        self.assertNotIn("<img ", html)
+        self.assertNotIn("<b ", html)
+        self.assertIn("&lt;img ", html)
+        self.assertIn("&lt;b ", html)
+
+    def test_registrant_summary_escapes_spp_id(self):
+        """Verify registrant_summary_html escapes XSS in spp_id."""
+        registrant = self.partner_model.create(
+            {
+                "name": "Safe Name",
+                "is_registrant": True,
+                "is_group": False,
+            }
+        )
+        if hasattr(registrant, "spp_id"):
+            registrant.spp_id = '<script>alert("id")</script>'
+            cr = self._create_cr(registrant=registrant)
+            cr.invalidate_recordset()
+            html = cr.registrant_summary_html
+            self.assertNotIn("<script>", html)
+
+    def test_preview_html_escapes_field_values(self):
+        """Verify _generate_preview_html escapes dynamic values."""
+        cr = self._create_cr()
+        xss_changes = {
+            "_action": "update",
+            "name": {
+                "old": '<script>alert("old")</script>',
+                "new": '<img src=x onerror=alert("new")>',
+            },
+            "notes": '<script>alert("notes")</script>',
+        }
+        # Mock the strategy.preview() to return XSS payloads
+        with patch.object(type(cr.request_type_id), "get_apply_strategy") as mock_strategy:
+            mock_strategy.return_value.preview.return_value = xss_changes
+            cr.invalidate_recordset()
+            html = cr._generate_preview_html()
+
+        self.assertNotIn("<script>", html)
+        self.assertNotIn("<img ", html)
+        self.assertIn("&lt;script&gt;", html)
+        self.assertIn("&lt;img ", html)
+
+    def test_preview_html_escapes_list_values(self):
+        """Verify _generate_preview_html escapes list values."""
+        cr = self._create_cr()
+        xss_changes = {
+            "_action": "update",
+            "tags": ['<script>alert(1)</script>', "safe value"],
+        }
+        with patch.object(type(cr.request_type_id), "get_apply_strategy") as mock_strategy:
+            mock_strategy.return_value.preview.return_value = xss_changes
+            cr.invalidate_recordset()
+            html = cr._generate_preview_html()
+
+        self.assertNotIn("<script>", html)
+        self.assertIn("&lt;script&gt;", html)
+        self.assertIn("safe value", html)
+
+    def test_preview_html_escapes_action_label(self):
+        """Verify _generate_preview_html escapes unknown action labels."""
+        cr = self._create_cr()
+        xss_changes = {
+            "_action": '<img src=x onerror=alert("action")>',
+            "field": "value",
+        }
+        with patch.object(type(cr.request_type_id), "get_apply_strategy") as mock_strategy:
+            mock_strategy.return_value.preview.return_value = xss_changes
+            cr.invalidate_recordset()
+            html = cr._generate_preview_html()
+
+        # .title() changes case, so check case-insensitively
+        self.assertNotIn("<img ", html.lower())
+        self.assertIn("&lt;", html)
+
+    def test_preview_html_preserves_safe_content(self):
+        """Verify normal content renders correctly after escaping."""
+        cr = self._create_cr()
+        safe_changes = {
+            "_action": "update",
+            "full_name": {"old": "Old Name", "new": "New Name"},
+        }
+        with patch.object(type(cr.request_type_id), "get_apply_strategy") as mock_strategy:
+            mock_strategy.return_value.preview.return_value = safe_changes
+            cr.invalidate_recordset()
+            html = cr._generate_preview_html()
+
+        self.assertIn("Old Name", html)
+        self.assertIn("New Name", html)
+        self.assertIn("Full Name", html)
+        self.assertIn("<table", html)

spp_change_request_v2/tests/test_wizard_html_escaping.py

@@ -0,0 +1,107 @@
+import json
+from unittest.mock import patch
+
+from odoo.tests import tagged
+
+from .test_change_request import TestChangeRequestBase
+
+
+@tagged("post_install", "-at_install")
+class TestWizardHtmlEscaping(TestChangeRequestBase):
+    """Tests that the preview wizard properly escapes HTML in dynamic values."""
+
+    def _create_cr(self, registrant=None, cr_type=None):
+        """Helper to create a CR for testing."""
+        vals = {
+            "request_type_id": (cr_type or self.cr_type_add_member).id,
+        }
+        if registrant is not False:
+            vals["registrant_id"] = (registrant or self.group).id
+        return self.cr_model.create(vals)
+
+    def _create_wizard(self, cr):
+        """Create a preview wizard for the given CR."""
+        return self.env["spp.cr.preview.wizard"].create(
+            {"change_request_id": cr.id}
+        )
+
+    def test_wizard_preview_escapes_action(self):
+        """Verify wizard preview_html escapes XSS in action value."""
+        cr = self._create_cr()
+        wizard = self._create_wizard(cr)
+        xss_changes = {
+            "_action": '<script>alert("action")</script>',
+            "field": "value",
+        }
+        with patch.object(type(cr.request_type_id), "get_apply_strategy") as mock_strategy:
+            mock_strategy.return_value.preview.return_value = xss_changes
+            wizard.invalidate_recordset()
+            html = wizard.preview_html
+
+        self.assertNotIn("<script>", html)
+        self.assertIn("&lt;script&gt;", html)
+
+    def test_wizard_preview_escapes_field_values(self):
+        """Verify wizard preview_html escapes XSS in field keys and values."""
+        cr = self._create_cr()
+        wizard = self._create_wizard(cr)
+        xss_changes = {
+            "_action": "update",
+            "safe_field": '<img src=x onerror=alert(1)>',
+        }
+        with patch.object(type(cr.request_type_id), "get_apply_strategy") as mock_strategy:
+            mock_strategy.return_value.preview.return_value = xss_changes
+            wizard.invalidate_recordset()
+            html = wizard.preview_html
+
+        self.assertNotIn("<img ", html)
+        self.assertIn("&lt;img ", html)
+
+    def test_wizard_preview_escapes_list_values(self):
+        """Verify wizard preview_html escapes list items."""
+        cr = self._create_cr()
+        wizard = self._create_wizard(cr)
+        xss_changes = {
+            "_action": "update",
+            "tags": ['<script>alert(1)</script>', "safe"],
+        }
+        with patch.object(type(cr.request_type_id), "get_apply_strategy") as mock_strategy:
+            mock_strategy.return_value.preview.return_value = xss_changes
+            wizard.invalidate_recordset()
+            html = wizard.preview_html
+
+        self.assertNotIn("<script>", html)
+        self.assertIn("&lt;script&gt;", html)
+        self.assertIn("safe", html)
+
+    def test_wizard_preview_from_snapshot_escapes(self):
+        """Verify wizard escapes values from stored JSON snapshots."""
+        cr = self._create_cr()
+        xss_snapshot = json.dumps({
+            "_action": "update",
+            "name": '<script>alert("snapshot")</script>',
+        })
+        cr.write({"is_applied": True, "preview_json_snapshot": xss_snapshot})
+        wizard = self._create_wizard(cr)
+        wizard.invalidate_recordset()
+        html = wizard.preview_html
+
+        self.assertNotIn("<script>", html)
+        self.assertIn("&lt;script&gt;", html)
+
+    def test_wizard_preview_preserves_safe_content(self):
+        """Verify safe content renders correctly in wizard preview."""
+        cr = self._create_cr()
+        wizard = self._create_wizard(cr)
+        safe_changes = {
+            "_action": "create",
+            "full_name": "John Doe",
+        }
+        with patch.object(type(cr.request_type_id), "get_apply_strategy") as mock_strategy:
+            mock_strategy.return_value.preview.return_value = safe_changes
+            wizard.invalidate_recordset()
+            html = wizard.preview_html
+
+        self.assertIn("John Doe", html)
+        self.assertIn("Full Name", html)
+        self.assertIn("create", html)