Permalink
Browse files

[FIX] web: prevent crash when searching for escaped strings

Recent works in the search view (in 12.0) on dynamic filters had an
unfortunate effect: when the user tries to input escaped strings (for
example "test" in custom filters, there was a crash.

The reason is that the JS python parser (or more specifically, the
tokenizer) was unable to parse that as a string.  It worked before
because the web client sent the raw string to the server.  However, with
dynamic filters, this is no longer the case, and we need to parse
domains to be able to combine them.

In this commit, we modify the tokenizer to be able to work with escaped
strings.
  • Loading branch information...
ged-odoo committed Dec 6, 2018
1 parent 2a4c44b commit 7c3b1795e046bd808c44ca1e2de8c84adc91915d
Showing with 19 additions and 3 deletions.
  1. +9 −3 addons/web/static/lib/py.js/lib/py.js
  2. +10 −0 addons/web/static/tests/core/py_utils_tests.js
@@ -282,7 +282,10 @@ var py = {};
var name_pattern = new RegExp('^' + Name + '$');
var strip = new RegExp('^' + Whitespace);
return function tokenize(s) {
var max=s.length, tokens = [], start, end = undefined;
s = s
.replace(/\\\"/g, '\\u0022') // for double quote
.replace(/\\\'/g, '\\u0027'); // for single quote
var max=s.length, tokens = [], start, end;
// /g flag makes repeated exec() have memory
var pseudoprog = new RegExp(PseudoToken, 'g');
@@ -302,17 +305,20 @@ var py = {};
end = pseudoprog.lastIndex;
// strip leading space caught by Whitespace
var token = s.slice(start, end).replace(strip, '');
var initial = token[0];
if (number_pattern.test(token)) {
tokens.push(create(symbols['(number)'], {
value: parseFloat(token)
}));
} else if (string_pattern.test(token)) {
var m = string_pattern.exec(token);
var value = (m[3] !== undefined ? m[3] : m[5]);
value
.replace(/\\u0022/g, '"')
.replace(/\\u0027/g, "'");
tokens.push(create(symbols['(string)'], {
unicode: !!(m[2] || m[4]),
value: (m[3] !== undefined ? m[3] : m[5])
value: value
}));
} else if (token in symbols) {
var symbol;
@@ -1254,6 +1254,15 @@ QUnit.module('core', function () {
assert.checkAST(expr);
});
QUnit.test("parse escaped quoted strings", function (assert) {
assert.expect(2);
assert.checkAST(`'\"'`, "a string containing \"");
assert.checkAST(`'\'`, "a string containing \'");
});
QUnit.module('pyutils (_normalizeDomain)');
QUnit.assert.checkNormalization = function (domain, normalizedDomain) {
@@ -1334,5 +1343,6 @@ QUnit.module('core', function () {
"[('user_id', '=', uid)]"
);
});
});
});

0 comments on commit 7c3b179

Please sign in to comment.