From b4a5f1f1cc5100920ddc457114cab5e9a84cc227 Mon Sep 17 00:00:00 2001
From: Marco Colombo <marco.colombo@gmail.com>
Date: Fri, 11 Oct 2024 10:16:52 +0200
Subject: [PATCH] [FIX] l10n_it_central_journal_reportlab: escape Paragraph
 content

---
 .../wizard/print_giornale.py                  | 57 ++++++++++---------
 1 file changed, 31 insertions(+), 26 deletions(-)

diff --git a/l10n_it_central_journal_reportlab/wizard/print_giornale.py b/l10n_it_central_journal_reportlab/wizard/print_giornale.py
index 800b9dd8cfc..5a661aef6f2 100644
--- a/l10n_it_central_journal_reportlab/wizard/print_giornale.py
+++ b/l10n_it_central_journal_reportlab/wizard/print_giornale.py
@@ -5,6 +5,7 @@
 import base64
 import io
 from datetime import timedelta
+from xml.sax.saxutils import escape
 
 from reportlab.lib import colors
 from reportlab.lib.enums import TA_RIGHT
@@ -308,8 +309,12 @@ def get_initial_balance_data_report_giornale(self):
                 "",
                 "",
                 Paragraph(_("Initial Balance"), style_name),
-                Paragraph(formatLang(self.env, self.progressive_debit2), style_number),
-                Paragraph(formatLang(self.env, self.progressive_credit), style_number),
+                Paragraph(
+                    escape(formatLang(self.env, self.progressive_debit2)), style_number
+                ),
+                Paragraph(
+                    escape(formatLang(self.env, self.progressive_credit)), style_number
+                ),
             ]
         ]
         return initial_balance_data
@@ -338,27 +343,28 @@ def get_grupped_final_tables_report_giornale(
             )
             if not account_name:
                 continue
-            # evitiamo che i caratteri < o > vengano interpretato come tag html
-            # dalla libreria reportlab
-            account_name = account_name.replace("<", "&lt;").replace(">", "&gt;")
 
             start_row += 1
-            row = Paragraph(str(start_row), style_name)
-            date = Paragraph(format_date(self.env, line["date"]), style_name)
-            move = Paragraph(line["move_name"], style_name)
-            account = Paragraph(account_name, style_name)
-            name = Paragraph(line["name"], style_name)
+            row = Paragraph(escape(str(start_row)), style_name)
+            date = Paragraph(escape(format_date(self.env, line["date"])), style_name)
+            move = Paragraph(escape(line["move_name"]), style_name)
+            account = Paragraph(escape(account_name), style_name)
+            name = Paragraph(escape(line["name"]), style_name)
             # dato che nel SQL ho la somma dei crediti e debiti potrei avere
             # che un conto ha sia debito che credito
             lines_data = []
             if line["debit"] > 0:
-                debit = Paragraph(formatLang(self.env, line["debit"]), style_number)
-                credit = Paragraph(formatLang(self.env, 0), style_number)
+                debit = Paragraph(
+                    escape(formatLang(self.env, line["debit"])), style_number
+                )
+                credit = Paragraph(escape(formatLang(self.env, 0)), style_number)
                 list_balance.append((line["debit"], 0))
                 lines_data.append([[row, date, move, account, name, debit, credit]])
             if line["credit"] > 0:
-                debit = Paragraph(formatLang(self.env, 0), style_number)
-                credit = Paragraph(formatLang(self.env, line["credit"]), style_number)
+                debit = Paragraph(escape(formatLang(self.env, 0)), style_number)
+                credit = Paragraph(
+                    escape(formatLang(self.env, line["credit"])), style_number
+                )
                 list_balance.append((0, line["credit"]))
                 lines_data.append([[row, date, move, account, name, debit, credit]])
             for line_data in lines_data:
@@ -394,25 +400,24 @@ def get_final_tables_report_giornale(
 
         for line in self.env["account.move.line"].browse(move_line_ids):
             start_row += 1
-            row = Paragraph(str(start_row), style_name)
-            date = Paragraph(format_date(self.env, line.date), style_name)
-            ref = Paragraph(str(line.ref or ""), style_name)
+            row = Paragraph(escape(str(start_row)), style_name)
+            date = Paragraph(escape(format_date(self.env, line.date)), style_name)
+            ref = Paragraph(escape(str(line.ref or "")), style_name)
             move_name = line.move_id.name or ""
-            move = Paragraph(move_name, style_name)
+            move = Paragraph(escape(move_name), style_name)
             account_name = self._get_account_name_reportlab(line)
             # evitiamo che i caratteri < o > vengano interpretato come tag html
             # dalla libreria reportlab
-            account_name = account_name.replace("<", "&lt;").replace(">", "&gt;")
-            account = Paragraph(account_name, style_name)
+            account = Paragraph(escape(account_name), style_name)
             if line.account_id.account_type in [
                 "asset_receivable",
                 "liability_payable",
             ]:
-                name = Paragraph(str(line.partner_id.name or ""), style_name)
+                name = Paragraph(escape(str(line.partner_id.name or "")), style_name)
             else:
-                name = Paragraph(str(line.name or ""), style_name)
-            debit = Paragraph(formatLang(self.env, line.debit), style_number)
-            credit = Paragraph(formatLang(self.env, line.credit), style_number)
+                name = Paragraph(escape(str(line.name or "")), style_name)
+            debit = Paragraph(escape(formatLang(self.env, line.debit)), style_number)
+            credit = Paragraph(escape(formatLang(self.env, line.credit)), style_number)
             list_balance.append((line.debit, line.credit))
             line_data = [[row, date, ref, move, account, name, debit, credit]]
             if previous_move_name != move_name:
@@ -441,8 +446,8 @@ def get_balance_data_report_giornale(self, tot_debit, tot_credit, final=False):
                 "",
                 "",
                 name,
-                Paragraph(formatLang(self.env, tot_debit), style_number),
-                Paragraph(formatLang(self.env, tot_credit), style_number),
+                Paragraph(escape(formatLang(self.env, tot_debit)), style_number),
+                Paragraph(escape(formatLang(self.env, tot_credit)), style_number),
             ]
         ]
         return balance_data