From b8a72c57e1058702d34345722af2780b709251fe Mon Sep 17 00:00:00 2001 From: thomas girod <56346771+imperosol@users.noreply.github.com> Date: Sat, 10 Dec 2022 20:41:35 +0100 Subject: [PATCH] escape html characters on xml (#505) --- counter/models.py | 27 +++++++++++++-------------- eboutic/models.py | 33 +++++++++++++-------------------- 2 files changed, 26 insertions(+), 34 deletions(-) diff --git a/counter/models.py b/counter/models.py index 20fa77a0..bea151b3 100644 --- a/counter/models.py +++ b/counter/models.py @@ -21,10 +21,9 @@ # Place - Suite 330, Boston, MA 02111-1307, USA. # # -from django.db.models.functions import Length -from sith.settings import SITH_COUNTER_OFFICES, SITH_MAIN_CLUB from django.db import models +from django.db.models.functions import Length from django.utils.translation import gettext_lazy as _ from django.utils import timezone from django.conf import settings @@ -41,6 +40,7 @@ import base64 import datetime from dict2xml import dict2xml +from sith.settings import SITH_COUNTER_OFFICES, SITH_MAIN_CLUB from club.models import Club, Membership from accounting.models import CurrencyField from core.models import Group, User, Notification @@ -166,23 +166,22 @@ class BillingInfo(models.Model): """ Convert the data from this model into a xml usable by the online paying service of the Crédit Agricole bank. - see : `https://www.ca-moncommerce.com/espace-client-mon-commerce/up2pay-e-transactions/ma-documentation/manuel-dintegration-focus-3ds-v2/principes-generaux/#boutique-cms-utilisation-des-modules-up2pay-e-transactions-mise-a-jour-module` + see : `https://www.ca-moncommerce.com/espace-client-mon-commerce/up2pay-e-transactions/ma-documentation/manuel-dintegration-focus-3ds-v2/principes-generaux/#integration-3dsv2-developpeur-webmaster` """ data = { - "Billing": { - "Address": { - "FirstName": self.first_name, - "LastName": self.last_name, - "Address1": self.address_1, - "ZipCode": self.zip_code, - "City": self.city, - "CountryCode": self.country, - } + "Address": { + "FirstName": self.first_name, + "LastName": self.last_name, + "Address1": self.address_1, + "ZipCode": self.zip_code, + "City": self.city, + "CountryCode": self.country, } } if self.address_2: - data["Billing"]["Address"]["Address2"] = self.address_2 - return dict2xml(data) + data["Address"]["Address2"] = self.address_2 + xml = dict2xml(data, wrap="Billing", newlines=False) + return '' + xml def __str__(self): return f"{self.first_name} {self.last_name}" diff --git a/eboutic/models.py b/eboutic/models.py index 0b2014e7..ced2821c 100644 --- a/eboutic/models.py +++ b/eboutic/models.py @@ -22,6 +22,7 @@ # # import hmac +import html import typing from datetime import datetime from typing import List @@ -197,30 +198,22 @@ class Basket(models.Model): ("PBX_TYPEPAIEMENT", "CARTE"), ("PBX_TYPECARTE", "CB"), ("PBX_TIME", datetime.now().replace(microsecond=0).isoformat("T")), - ("PBX_BILLING", customer.billing_infos.to_3dsv2_xml()), - ( - "PBX_SHOPPINGCART", - dict2xml({"shoppingcart": {"total": {min(self.items.count(), 99)}}}), - ), ] - data.append( - ( - "PBX_HMAC", - ( - hmac.new( - settings.SITH_EBOUTIC_HMAC_KEY, - bytes("&".join("=".join(d) for d in data), "utf-8"), - "sha512", - ) - .hexdigest() - .upper() - ), - ) + cart = {"shoppingcart": {"total": min(self.items.count(), 99)}} + cart = dict2xml(cart, newlines=False) + cart = '' + cart + data += [ + ("PBX_SHOPPINGCART", html.escape(cart)), + ("PBX_BILLING", html.escape(customer.billing_infos.to_3dsv2_xml())), + ] + pbx_hmac = hmac.new( + settings.SITH_EBOUTIC_HMAC_KEY, + bytes("&".join("=".join(d) for d in data), "utf-8"), + "sha512", ) + data.append(("PBX_HMAC", pbx_hmac.hexdigest().upper())) return data - # def validate(self, exclude=None): - def __str__(self): return "%s's basket (%d items)" % (self.user, self.items.all().count())