Merge remote-tracking branch 'origin/19.0' into feat/cycle-compliance-on-registrant

# Conflicts:
#	spp_programs/tests/__init__.py

Author: emjay0921

spp

@@ -22,7 +22,14 @@ import shutil
 import subprocess
 import sys
 import time
-import tomllib
+
+try:
+    import tomllib
+except ModuleNotFoundError:
+    try:
+        import tomli as tomllib
+    except ModuleNotFoundError:
+        tomllib = None
 from pathlib import Path
 
 try:
@@ -99,13 +106,15 @@ DEFAULT_CONFIG = {
 def load_config() -> dict:
     """Load config from ~/.spp.toml, returning defaults if not found."""
     config = DEFAULT_CONFIG.copy()
-    if CONFIG_PATH.exists():
+    if CONFIG_PATH.exists() and tomllib is not None:
         try:
             with open(CONFIG_PATH, "rb") as f:
                 user_config = tomllib.load(f)
                 config.update(user_config)
         except (tomllib.TOMLDecodeError, OSError) as e:
             warn(f"Could not load config from {CONFIG_PATH}: {e}")
+    elif CONFIG_PATH.exists() and tomllib is None:
+        warn("tomllib not available (Python < 3.11). Install 'tomli' or upgrade Python to load ~/.spp.toml config.")
     return config
 
 
@@ -131,7 +140,7 @@ DEMO_PROFILES = {
 }
 
 
-def run(cmd: str | list, check: bool = True, capture: bool = False, **kwargs) -> subprocess.CompletedProcess:
+def run(cmd, check: bool = True, capture: bool = False, **kwargs) -> subprocess.CompletedProcess:
     """Run a command with nice defaults."""
     if isinstance(cmd, str):
         kwargs.setdefault("shell", True)
@@ -909,7 +918,7 @@ def cmd_sql(args):
         run(docker_compose("exec", "db", "psql", "-U", "odoo", "-d", db_name))
 
 
-def _show_url(open_browser: bool = False) -> str | None:
+def _show_url(open_browser: bool = False):
     """Get the running Odoo server URL."""
     service, profile = _find_running_odoo()
     if not service:

spp_api_v2/tests/test_search_service.py

@@ -57,8 +57,8 @@ def test_search_by_name(self):
         self.assertEqual(total, 2)
         self.assertEqual(len(records), 2)
         names = [r.name for r in records]
-        self.assertIn("Alice Johnson", names)
-        self.assertIn("Alice Brown", names)
+        self.assertIn("JOHNSON, ALICE", names)
+        self.assertIn("BROWN, ALICE", names)
 
     def test_parse_identifier_param(self):
         """identifier=system|value creates proper domain"""
@@ -224,7 +224,7 @@ def test_search_combined_params(self):
         # Should find Alice Johnson and Alice Brown (both female)
         self.assertEqual(total, 2)
         for record in records:
-            self.assertIn("Alice", record.name)
+            self.assertIn("ALICE", record.name)
             self.assertEqual(record.gender_id, self.gender_female)
 
 

spp_audit/README.rst

@@ -154,6 +154,8 @@ Changelog
   all records, not just the first
 - refactor: use ``isinstance(value, Markup)`` instead of fragile
   ``str(type(...))`` comparison in all audit decorator methods
+- fix: add HTML escaping to computed ``data_html`` and
+  ``parent_data_html`` fields to prevent stored XSS (#50)
 
 19.0.2.0.0
 ~~~~~~~~~~

spp_audit/models/spp_audit_log.py

@@ -2,6 +2,7 @@
 import logging
 
 from dateutil import tz
+from markupsafe import escape as html_escape
 
 from odoo import _, api, fields, models
 from odoo.exceptions import UserError
@@ -164,7 +165,7 @@ def _compute_data_html(self):
             for line in rec._get_content():
                 row = ""
                 for item in line:
-                    row += f"<td>{item}</td>"
+                    row += f"<td>{html_escape(str(item))}</td>"
                 tbody += f"<tr>{row}</tr>"
             tbody = f"<tbody>{tbody}</tbody>"
             rec.data_html = f'<table class="o_list_view table table-condensed table-striped">{thead}{tbody}</table>'
@@ -206,7 +207,7 @@ def _compute_parent_data_html(self):
             for line in rec._parent_get_content():
                 row = ""
                 for item in line:
-                    row += f"<td>{item}</td>"
+                    row += f"<td>{html_escape(str(item))}</td>"
                 tbody += f"<tr>{row}</tr>"
             tbody = f"<tbody>{tbody}</tbody>"
             rec.parent_data_html = (

spp_audit/readme/HISTORY.md

@@ -3,6 +3,7 @@
 - fix: use @api.model_create_multi for audit_create to support Odoo 19 create overrides (#138)
 - fix: Markup sanitization in audit_write and audit_unlink now handles all records, not just the first
 - refactor: use `isinstance(value, Markup)` instead of fragile `str(type(...))` comparison in all audit decorator methods
+- fix: add HTML escaping to computed `data_html` and `parent_data_html` fields to prevent stored XSS (#50)
 
 ### 19.0.2.0.0
 

spp_audit/static/description/index.html

@@ -524,6 +524,8 @@ <h1>19.0.2.0.1</h1>
 all records, not just the first</li>
 <li>refactor: use <tt class="docutils literal">isinstance(value, Markup)</tt> instead of fragile
 <tt class="docutils literal"><span class="pre">str(type(...))</span></tt> comparison in all audit decorator methods</li>
+<li>fix: add HTML escaping to computed <tt class="docutils literal">data_html</tt> and
+<tt class="docutils literal">parent_data_html</tt> fields to prevent stored XSS (#50)</li>
 </ul>
 </div>
 <div class="section" id="section-2">

spp_audit/tests/__init__.py

@@ -1,2 +1,3 @@
 from . import test_audit_backend
+from . import test_html_escaping
 from . import test_spp_audit_rule

spp_audit/tests/test_html_escaping.py

@@ -0,0 +1,90 @@
+from odoo.tests.common import TransactionCase
+
+
+class TestAuditHtmlEscaping(TransactionCase):
+    """Tests that audit log HTML fields properly escape dynamic values."""
+
+    @classmethod
+    def setUpClass(cls):
+        super().setUpClass()
+        cls.model_partner = cls.env["ir.model"].search([("model", "=", "res.partner")], limit=1)
+        cls.audit_rule = cls.env["spp.audit.rule"].search([("model_id", "=", cls.model_partner.id)], limit=1)
+        if not cls.audit_rule:
+            cls.audit_rule = cls.env["spp.audit.rule"].create(
+                {
+                    "name": "Test Rule",
+                    "model_id": cls.model_partner.id,
+                    "is_log_create": True,
+                    "is_log_write": True,
+                    "is_log_unlink": False,
+                }
+            )
+
+    def _create_audit_log(self, old_vals, new_vals):
+        """Create an audit log record with given old/new values."""
+        data = repr({"old": old_vals, "new": new_vals})
+        return self.env["spp.audit.log"].create(
+            {
+                "audit_rule_id": self.audit_rule.id,
+                "user_id": self.env.uid,
+                "model_id": self.model_partner.id,
+                "res_id": 1,
+                "method": "write",
+                "data": data,
+            }
+        )
+
+    def test_data_html_escapes_script_tags(self):
+        """Verify data_html escapes <script> in field values."""
+        xss_payload = '<script>alert("xss")</script>'
+        log = self._create_audit_log(
+            old_vals={"name": "Safe Name"},
+            new_vals={"name": xss_payload},
+        )
+        html = log.data_html
+        self.assertNotIn("<script>", html)
+        self.assertIn("&lt;script&gt;", html)
+
+    def test_data_html_escapes_html_entities(self):
+        """Verify data_html escapes angle brackets and ampersands."""
+        log = self._create_audit_log(
+            old_vals={"name": "Before <b>bold</b>"},
+            new_vals={"name": "After <img src=x onerror=alert(1)>"},
+        )
+        html = log.data_html
+        self.assertNotIn("<img ", html)
+        self.assertIn("&lt;img ", html)
+        self.assertNotIn("<b>bold</b>", html)
+        self.assertIn("&lt;b&gt;bold&lt;/b&gt;", html)
+
+    def test_data_html_renders_table_structure(self):
+        """Verify data_html still produces valid table structure."""
+        log = self._create_audit_log(
+            old_vals={"name": "Old"},
+            new_vals={"name": "New"},
+        )
+        html = log.data_html
+        self.assertIn("<table", html)
+        self.assertIn("<thead>", html)
+        self.assertIn("<tbody>", html)
+        self.assertIn("<td>", html)
+
+    def test_parent_data_html_escapes_script_tags(self):
+        """Verify parent_data_html escapes <script> in field values."""
+        xss_payload = '<script>alert("xss")</script>'
+        parent_model = self.env["ir.model"].search([("model", "=", "res.partner")], limit=1)
+        log = self.env["spp.audit.log"].create(
+            {
+                "audit_rule_id": self.audit_rule.id,
+                "user_id": self.env.uid,
+                "model_id": self.model_partner.id,
+                "res_id": 1,
+                "method": "write",
+                "data": repr({"old": {"name": "Safe"}, "new": {"name": xss_payload}}),
+                "parent_model_id": parent_model.id,
+                "parent_res_ids_str": "1",
+            }
+        )
+        html = log.parent_data_html
+        self.assertNotIn("<script>", html)
+        self.assertIn("&lt;script&gt;", html)

spp_case_demo/README.rst

@@ -7,7 +7,7 @@ OpenSPP Case Management Demo Data
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:39196739031b49c0d69e329806b940da071ca49472f130cd28ffd45eda6459e7
+   !! source digest: sha256:force_regen
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Production%2FStable-green.png
@@ -24,16 +24,20 @@ OpenSPP Case Management Demo Data
 
 Demo data generator for Case Management system. Creates realistic cases
 with intervention plans, home visits, progress notes, and service
-referrals. Includes 9 fixed demo stories for training and sales demos,
-plus configurable random case generation for volume testing.
+referrals. Includes 9 fixed demo stories plus 3 background cases for
+training and sales demos, and configurable volume case generation using
+Faker for locale-aware random data (non-deterministic — each run
+produces different results).
 
 Key Capabilities
 ~~~~~~~~~~~~~~~~
 
 - Generate 9 fixed demo stories with predictable personas and case
-  progressions for consistent training scenarios
-- Create random volume cases with configurable distribution percentages
-  for plans, visits, notes, and closures
+  progressions for consistent training scenarios, plus 3 background
+  cases (Fernandez Intake Pending, Johnson Assessment, Kim Case Closed)
+  for variety
+- Create random volume cases using Faker (non-seeded) with configurable
+  distribution percentages for plans, visits, notes, and closures
 - Link generated cases to existing registrants or create standalone
   cases
 - Backdate case records and related activities to simulate realistic

spp_case_demo/readme/DESCRIPTION.md

@@ -1,9 +1,9 @@
-Demo data generator for Case Management system. Creates realistic cases with intervention plans, home visits, progress notes, and service referrals. Includes 9 fixed demo stories for training and sales demos, plus configurable random case generation for volume testing.
+Demo data generator for Case Management system. Creates realistic cases with intervention plans, home visits, progress notes, and service referrals. Includes 9 fixed demo stories plus 3 background cases for training and sales demos, and configurable volume case generation using Faker for locale-aware random data (non-deterministic — each run produces different results).
 
 ### Key Capabilities
 
-- Generate 9 fixed demo stories with predictable personas and case progressions for consistent training scenarios
-- Create random volume cases with configurable distribution percentages for plans, visits, notes, and closures
+- Generate 9 fixed demo stories with predictable personas and case progressions for consistent training scenarios, plus 3 background cases (Fernandez Intake Pending, Johnson Assessment, Kim Case Closed) for variety
+- Create random volume cases using Faker (non-seeded) with configurable distribution percentages for plans, visits, notes, and closures
 - Link generated cases to existing registrants or create standalone cases
 - Backdate case records and related activities to simulate realistic timelines over configurable day ranges
 - Create intervention plans with multiple interventions across case lifecycle stages