escape html characters on xml (#505)

2024-11-20 05:03:23 +00:00 · 2022-12-10 20:41:35 +01:00 · 2022-12-10 20:41:35 +01:00 · b8a72c57e1
commit b8a72c57e1
parent 9188565a86
2 changed files with 26 additions and 34 deletions
--- a/counter/models.py
+++ b/counter/models.py
@ -21,10 +21,9 @@
 # Place - Suite 330, Boston, MA 02111-1307, USA.
 #
 #
-from django.db.models.functions import Length

-from sith.settings import SITH_COUNTER_OFFICES, SITH_MAIN_CLUB
 from django.db import models
+from django.db.models.functions import Length
 from django.utils.translation import gettext_lazy as _
 from django.utils import timezone
 from django.conf import settings
@ -41,6 +40,7 @@ import base64
 import datetime
 from dict2xml import dict2xml

+from sith.settings import SITH_COUNTER_OFFICES, SITH_MAIN_CLUB
 from club.models import Club, Membership
 from accounting.models import CurrencyField
 from core.models import Group, User, Notification
@ -166,10 +166,9 @@ class BillingInfo(models.Model):
        """
        Convert the data from this model into a xml usable
        by the online paying service of the Crédit Agricole bank.
-        see : `https://www.ca-moncommerce.com/espace-client-mon-commerce/up2pay-e-transactions/ma-documentation/manuel-dintegration-focus-3ds-v2/principes-generaux/#boutique-cms-utilisation-des-modules-up2pay-e-transactions-mise-a-jour-module`
+        see : `https://www.ca-moncommerce.com/espace-client-mon-commerce/up2pay-e-transactions/ma-documentation/manuel-dintegration-focus-3ds-v2/principes-generaux/#integration-3dsv2-developpeur-webmaster`
        """
        data = {
-            "Billing": {
            "Address": {
                "FirstName": self.first_name,
                "LastName": self.last_name,
@ -179,10 +178,10 @@ class BillingInfo(models.Model):
                "CountryCode": self.country,
            }
        }
-        }
        if self.address_2:
-            data["Billing"]["Address"]["Address2"] = self.address_2
-        return dict2xml(data)
+            data["Address"]["Address2"] = self.address_2
+        xml = dict2xml(data, wrap="Billing", newlines=False)
+        return '<?xml version="1.0" encoding="UTF-8" ?>' + xml

    def __str__(self):
        return f"{self.first_name} {self.last_name}"
--- a/eboutic/models.py
+++ b/eboutic/models.py
@ -22,6 +22,7 @@
 #
 #
 import hmac
+import html
 import typing
 from datetime import datetime
 from typing import List
@ -197,30 +198,22 @@ class Basket(models.Model):
            ("PBX_TYPEPAIEMENT", "CARTE"),
            ("PBX_TYPECARTE", "CB"),
            ("PBX_TIME", datetime.now().replace(microsecond=0).isoformat("T")),
-            ("PBX_BILLING", customer.billing_infos.to_3dsv2_xml()),
-            (
-                "PBX_SHOPPINGCART",
-                dict2xml({"shoppingcart": {"total": {min(self.items.count(), 99)}}}),
-            ),
        ]
-        data.append(
-            (
-                "PBX_HMAC",
-                (
-                    hmac.new(
+        cart = {"shoppingcart": {"total": min(self.items.count(), 99)}}
+        cart = dict2xml(cart, newlines=False)
+        cart = '<?xml version="1.0" encoding="UTF-8" ?>' + cart
+        data += [
+            ("PBX_SHOPPINGCART", html.escape(cart)),
+            ("PBX_BILLING", html.escape(customer.billing_infos.to_3dsv2_xml())),
+        ]
+        pbx_hmac = hmac.new(
            settings.SITH_EBOUTIC_HMAC_KEY,
            bytes("&".join("=".join(d) for d in data), "utf-8"),
            "sha512",
        )
-                    .hexdigest()
-                    .upper()
-                ),
-            )
-        )
+        data.append(("PBX_HMAC", pbx_hmac.hexdigest().upper()))
        return data

-    # def validate(self, exclude=None):
-
    def __str__(self):
        return "%s's basket (%d items)" % (self.user, self.items.all().count())