fix(spp_audit,spp_change_request_v2): add HTML escaping to computed Html fields

Escape dynamic values with markupsafe.escape() before inserting into
f-string HTML to prevent stored XSS in audit logs, change request
previews, and registrant summaries.

Fixes #50

Author: gonzalesedwin1123

spp_audit/models/spp_audit_log.py

@@ -2,6 +2,7 @@
 import logging
 
 from dateutil import tz
+from markupsafe import escape as html_escape
 
 from odoo import _, api, fields, models
 from odoo.exceptions import UserError
@@ -164,7 +165,7 @@ def _compute_data_html(self):
             for line in rec._get_content():
                 row = ""
                 for item in line:
-                    row += f"<td>{item}</td>"
+                    row += f"<td>{html_escape(str(item))}</td>"
                 tbody += f"<tr>{row}</tr>"
             tbody = f"<tbody>{tbody}</tbody>"
             rec.data_html = f'<table class="o_list_view table table-condensed table-striped">{thead}{tbody}</table>'
@@ -206,7 +207,7 @@ def _compute_parent_data_html(self):
             for line in rec._parent_get_content():
                 row = ""
                 for item in line:
-                    row += f"<td>{item}</td>"
+                    row += f"<td>{html_escape(str(item))}</td>"
                 tbody += f"<tr>{row}</tr>"
             tbody = f"<tbody>{tbody}</tbody>"
             rec.parent_data_html = (

spp_change_request_v2/models/change_request.py

@@ -541,19 +541,20 @@ def _compute_registrant_summary_html(self):
                 html_parts.append('<i class="fa fa-users fa-lg text-primary me-2"></i>')
             else:
                 html_parts.append('<i class="fa fa-user fa-lg text-primary me-2"></i>')
-            html_parts.append(f"<strong>{reg.name}</strong>")
+            html_parts.append(f"<strong>{html_escape(reg.name or '')}</strong>")
             html_parts.append("</div>")
 
             # ID badge
             if hasattr(reg, "spp_id") and reg.spp_id:
-                html_parts.append(f'<div class="mb-2"><span class="badge bg-secondary">ID: {reg.spp_id}</span></div>')
+                escaped_id = html_escape(reg.spp_id)
+                html_parts.append(f'<div class="mb-2"><span class="badge bg-secondary">ID: {escaped_id}</span></div>')
 
             # Address
             address_parts = []
             if reg.street:
-                address_parts.append(reg.street)
+                address_parts.append(html_escape(reg.street))
             if reg.city:
-                address_parts.append(reg.city)
+                address_parts.append(html_escape(reg.city))
             if address_parts:
                 html_parts.append(
                     f'<div class="text-muted small mb-2">'
@@ -1073,7 +1074,7 @@ def _generate_preview_html(self):
         action_label = action_labels.get(action, action.replace("_", " ").title())
         html_parts.append(
             f'<div class="mb-3 d-flex align-items-center">'
-            f'<span class="badge bg-primary me-2">{action_label}</span>'
+            f'<span class="badge bg-primary me-2">{html_escape(action_label)}</span>'
             f"</div>"
         )
 
@@ -1085,7 +1086,7 @@ def _generate_preview_html(self):
             for key, value in changes.items():
                 if key.startswith("_"):
                     continue
-                display_key = key.replace("_", " ").title()
+                display_key = html_escape(key.replace("_", " ").title())
 
                 # Handle dict with old/new structure
                 if isinstance(value, dict) and "new" in value:
@@ -1095,16 +1096,16 @@ def _generate_preview_html(self):
                     if old_val is None or old_val is False or old_val == "":
                         old_display = '<span class="text-muted">—</span>'
                     else:
-                        old_display = str(old_val)
+                        old_display = html_escape(str(old_val))
                     # Format new value
                     if new_val is None or new_val is False or new_val == "":
                         new_display = '<span class="text-muted">—</span>'
                     else:
-                        new_display = f"<strong>{new_val}</strong>"
+                        new_display = f"<strong>{html_escape(str(new_val))}</strong>"
                     display_value = f"{old_display} → {new_display}"
                 elif isinstance(value, list):
                     if value:
-                        display_value = "<br/>".join(str(v) for v in value)
+                        display_value = "<br/>".join(html_escape(str(v)) for v in value)
                     else:
                         display_value = '<span class="text-muted">Not set</span>'
                 elif value is None or value is False or value == "":
@@ -1114,7 +1115,7 @@ def _generate_preview_html(self):
                     # Only True reaches here (False caught above)
                     display_value = '<span class="badge text-bg-success">Yes</span>'
                 else:
-                    display_value = str(value)
+                    display_value = html_escape(str(value))
 
                 html_parts.append(f"<tr><td><strong>{display_key}</strong></td><td>{display_value}</td></tr>")
 

spp_change_request_v2/wizards/preview_changes_wizard.py

@@ -3,6 +3,8 @@
 
 import json
 
+from markupsafe import escape as html_escape
+
 from odoo import api, fields, models
 
 
@@ -61,7 +63,7 @@ def _compute_preview_html(self):
             html_parts = ['<div class="o_preview_changes">']
 
             action = changes.pop("_action", "update")
-            html_parts.append(f'<p class="mb-3"><strong>Action:</strong> {action}</p>')
+            html_parts.append(f'<p class="mb-3"><strong>Action:</strong> {html_escape(str(action))}</p>')
 
             if changes:
                 html_parts.append('<table class="table table-sm table-striped">')
@@ -70,10 +72,10 @@ def _compute_preview_html(self):
 
                 for key, value in changes.items():
                     # Format the key
-                    display_key = key.replace("_", " ").title()
+                    display_key = html_escape(key.replace("_", " ").title())
                     # Format the value
                     if isinstance(value, list):
-                        display_value = "<br/>".join(str(v) for v in value)
+                        display_value = "<br/>".join(html_escape(str(v)) for v in value)
                     elif value is None:
                         display_value = '<span class="text-muted">Not set</span>'
                     elif isinstance(value, bool):
@@ -83,7 +85,7 @@ def _compute_preview_html(self):
                             else '<span class="badge text-bg-secondary">No</span>'
                         )
                     else:
-                        display_value = str(value)
+                        display_value = html_escape(str(value))
 
                     html_parts.append(f"<tr><td><strong>{display_key}</strong></td><td>{display_value}</td></tr>")