[FIX] mail: don't autoescape mail subject

The mail template rendering system use "autoescape" for subject, body, email_to, ... Using autoescape is good for the body, but for the subject it means variables insertions have to be marked as safe. This commit add another environment without autoescaping enabled for the subject field. From https://tools.ietf.org/html/rfc2822: The "Subject:" and "Comments:" fields are unstructured fields as defined in section 2.2.1, and therefore may contain text or folding white space. 2.2.1. Unstructured Header Field Bodies Some field bodies in this standard are defined simply as "unstructured" (which is specified below as any US-ASCII characters, except for CR and LF) with no further restrictions. closes #10547 opw-659231 opw-666801 opw-665863
odoo · Jan 20, 2016 · 6dde919 · 6dde919
1 parent 4bfc279
commit 6dde919
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/addons/mail/models/mail_template.py b/addons/mail/models/mail_template.py
@@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 
 import base64
+import copy
 import datetime
 import dateutil.relativedelta as relativedelta
 import logging
@@ -94,6 +95,8 @@ def format_tz(pool, cr, uid, dt, tz=False, format=False, context=None):
         # is needed, apparently.
         'relativedelta': lambda *a, **kw : relativedelta.relativedelta(*a, **kw),
     })
+    mako_safe_template_env = copy.copy(mako_template_env)
+    mako_safe_template_env.autoescape = False
 except ImportError:
     _logger.warning("jinja2 not available, templating features will not work!")
 
@@ -339,7 +342,8 @@ def render_template(self, template_txt, model, res_ids, post_process=False):
 
         # try to load the template
         try:
-            template = mako_template_env.from_string(tools.ustr(template_txt))
+            mako_env = mako_safe_template_env if self.env.context.get('safe') else mako_template_env
+            template = mako_env.from_string(tools.ustr(template_txt))
         except Exception:
             _logger.info("Failed to load template %r", template_txt, exc_info=True)
             return multi_mode and results or results[res_ids[0]]
@@ -460,6 +464,7 @@ def generate_email(self, res_ids, fields=None):
             if template.lang:
                 Template = Template.with_context(lang=template._context.get('lang'))
             for field in fields:
+                Template = Template.with_context(safe=field in {'subject'})
                 generated_field_values = Template.render_template(
                     getattr(template, field), template.model, template_res_ids,
                     post_process=(field == 'body_html'))