escape html characters on xml (#505)

counter/models.py

@@ -21,10 +21,9 @@
 # Place - Suite 330, Boston, MA 02111-1307, USA.
 #
 #
-from django.db.models.functions import Length
 
-from sith.settings import SITH_COUNTER_OFFICES, SITH_MAIN_CLUB
 from django.db import models
+from django.db.models.functions import Length
 from django.utils.translation import gettext_lazy as _
 from django.utils import timezone
 from django.conf import settings
@@ -41,6 +40,7 @@ import base64
 import datetime
 from dict2xml import dict2xml
 
+from sith.settings import SITH_COUNTER_OFFICES, SITH_MAIN_CLUB
 from club.models import Club, Membership
 from accounting.models import CurrencyField
 from core.models import Group, User, Notification
@@ -166,10 +166,9 @@ class BillingInfo(models.Model):
         """
         Convert the data from this model into a xml usable
         by the online paying service of the Crédit Agricole bank.
-        see : `https://www.ca-moncommerce.com/espace-client-mon-commerce/up2pay-e-transactions/ma-documentation/manuel-dintegration-focus-3ds-v2/principes-generaux/#boutique-cms-utilisation-des-modules-up2pay-e-transactions-mise-a-jour-module`
+        see : `https://www.ca-moncommerce.com/espace-client-mon-commerce/up2pay-e-transactions/ma-documentation/manuel-dintegration-focus-3ds-v2/principes-generaux/#integration-3dsv2-developpeur-webmaster`
         """
         data = {
-            "Billing": {
             "Address": {
                 "FirstName": self.first_name,
                 "LastName": self.last_name,
@@ -179,10 +178,10 @@ class BillingInfo(models.Model):
                 "CountryCode": self.country,
             }
         }
-        }
         if self.address_2:
-            data["Billing"]["Address"]["Address2"] = self.address_2
+            data["Address"]["Address2"] = self.address_2
-        return dict2xml(data)
+        xml = dict2xml(data, wrap="Billing", newlines=False)
+        return '<?xml version="1.0" encoding="UTF-8" ?>' + xml
 
     def __str__(self):
         return f"{self.first_name} {self.last_name}"

eboutic/models.py

@@ -22,6 +22,7 @@
 #
 #
 import hmac
+import html
 import typing
 from datetime import datetime
 from typing import List
@@ -197,30 +198,22 @@ class Basket(models.Model):
             ("PBX_TYPEPAIEMENT", "CARTE"),
             ("PBX_TYPECARTE", "CB"),
             ("PBX_TIME", datetime.now().replace(microsecond=0).isoformat("T")),
-            ("PBX_BILLING", customer.billing_infos.to_3dsv2_xml()),
-            (
-                "PBX_SHOPPINGCART",
-                dict2xml({"shoppingcart": {"total": {min(self.items.count(), 99)}}}),
-            ),
         ]
-        data.append(
+        cart = {"shoppingcart": {"total": min(self.items.count(), 99)}}
-            (
+        cart = dict2xml(cart, newlines=False)
-                "PBX_HMAC",
+        cart = '<?xml version="1.0" encoding="UTF-8" ?>' + cart
-                (
+        data += [
-                    hmac.new(
+            ("PBX_SHOPPINGCART", html.escape(cart)),
+            ("PBX_BILLING", html.escape(customer.billing_infos.to_3dsv2_xml())),
+        ]
+        pbx_hmac = hmac.new(
             settings.SITH_EBOUTIC_HMAC_KEY,
             bytes("&".join("=".join(d) for d in data), "utf-8"),
             "sha512",
         )
-                    .hexdigest()
+        data.append(("PBX_HMAC", pbx_hmac.hexdigest().upper()))
-                    .upper()
-                ),
-            )
-        )
         return data
 
-    # def validate(self, exclude=None):
-
     def __str__(self):
         return "%s's basket (%d items)" % (self.user, self.items.all().count())