From 396bf6a6eb10f64a13ef72f501b8754dfe00b0dc Mon Sep 17 00:00:00 2001
From: Marco Colombo <marco.colombo@gmail.com>
Date: Fri, 11 Oct 2024 10:16:52 +0200
Subject: [PATCH] [FIX] l10n_it_central_journal_reportlab: escape Paragraph
 content

---
 l10n_it_central_journal_reportlab/README.rst  |  2 +-
 .../__manifest__.py                           |  2 +-
 .../static/description/index.html             |  2 +-
 .../wizard/print_giornale.py                  | 57 ++++++++++---------
 4 files changed, 34 insertions(+), 29 deletions(-)

diff --git a/l10n_it_central_journal_reportlab/README.rst b/l10n_it_central_journal_reportlab/README.rst
index 53997984783a..299607c02f6b 100644
--- a/l10n_it_central_journal_reportlab/README.rst
+++ b/l10n_it_central_journal_reportlab/README.rst
@@ -7,7 +7,7 @@ ITA - Libro giornale - Reportlab
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:406c815cf9f5d7858e2354cdb28c41b751c27edacf1b580a4ca626ef2ea10a9a
+   !! source digest: sha256:91af559133071364b21113152d074c2e22096b825300936d3a24de75f65d2fe9
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
diff --git a/l10n_it_central_journal_reportlab/__manifest__.py b/l10n_it_central_journal_reportlab/__manifest__.py
index e2883d911e5b..451c8a796381 100644
--- a/l10n_it_central_journal_reportlab/__manifest__.py
+++ b/l10n_it_central_journal_reportlab/__manifest__.py
@@ -3,7 +3,7 @@
 
 {
     "name": "ITA - Libro giornale - Reportlab",
-    "version": "16.0.1.0.5",
+    "version": "16.0.1.0.6",
     "development_status": "Beta",
     "category": "Localization/Italy",
     "author": "Gianmarco Conte - Dinamiche Aziendali srl, "
diff --git a/l10n_it_central_journal_reportlab/static/description/index.html b/l10n_it_central_journal_reportlab/static/description/index.html
index f3f615d2c67f..57c980f665d4 100644
--- a/l10n_it_central_journal_reportlab/static/description/index.html
+++ b/l10n_it_central_journal_reportlab/static/description/index.html
@@ -367,7 +367,7 @@ <h1 class="title">ITA - Libro giornale - Reportlab</h1>
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-!! source digest: sha256:406c815cf9f5d7858e2354cdb28c41b751c27edacf1b580a4ca626ef2ea10a9a
+!! source digest: sha256:91af559133071364b21113152d074c2e22096b825300936d3a24de75f65d2fe9
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
 <p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/l10n-italy/tree/16.0/l10n_it_central_journal_reportlab"><img alt="OCA/l10n-italy" src="https://img.shields.io/badge/github-OCA%2Fl10n--italy-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/l10n-italy-16-0/l10n-italy-16-0-l10n_it_central_journal_reportlab"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/l10n-italy&amp;target_branch=16.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p><strong>Italiano</strong></p>
diff --git a/l10n_it_central_journal_reportlab/wizard/print_giornale.py b/l10n_it_central_journal_reportlab/wizard/print_giornale.py
index 800b9dd8cfcc..5a661aef6f26 100644
--- a/l10n_it_central_journal_reportlab/wizard/print_giornale.py
+++ b/l10n_it_central_journal_reportlab/wizard/print_giornale.py
@@ -5,6 +5,7 @@
 import base64
 import io
 from datetime import timedelta
+from xml.sax.saxutils import escape
 
 from reportlab.lib import colors
 from reportlab.lib.enums import TA_RIGHT
@@ -308,8 +309,12 @@ def get_initial_balance_data_report_giornale(self):
                 "",
                 "",
                 Paragraph(_("Initial Balance"), style_name),
-                Paragraph(formatLang(self.env, self.progressive_debit2), style_number),
-                Paragraph(formatLang(self.env, self.progressive_credit), style_number),
+                Paragraph(
+                    escape(formatLang(self.env, self.progressive_debit2)), style_number
+                ),
+                Paragraph(
+                    escape(formatLang(self.env, self.progressive_credit)), style_number
+                ),
             ]
         ]
         return initial_balance_data
@@ -338,27 +343,28 @@ def get_grupped_final_tables_report_giornale(
             )
             if not account_name:
                 continue
-            # evitiamo che i caratteri < o > vengano interpretato come tag html
-            # dalla libreria reportlab
-            account_name = account_name.replace("<", "&lt;").replace(">", "&gt;")
 
             start_row += 1
-            row = Paragraph(str(start_row), style_name)
-            date = Paragraph(format_date(self.env, line["date"]), style_name)
-            move = Paragraph(line["move_name"], style_name)
-            account = Paragraph(account_name, style_name)
-            name = Paragraph(line["name"], style_name)
+            row = Paragraph(escape(str(start_row)), style_name)
+            date = Paragraph(escape(format_date(self.env, line["date"])), style_name)
+            move = Paragraph(escape(line["move_name"]), style_name)
+            account = Paragraph(escape(account_name), style_name)
+            name = Paragraph(escape(line["name"]), style_name)
             # dato che nel SQL ho la somma dei crediti e debiti potrei avere
             # che un conto ha sia debito che credito
             lines_data = []
             if line["debit"] > 0:
-                debit = Paragraph(formatLang(self.env, line["debit"]), style_number)
-                credit = Paragraph(formatLang(self.env, 0), style_number)
+                debit = Paragraph(
+                    escape(formatLang(self.env, line["debit"])), style_number
+                )
+                credit = Paragraph(escape(formatLang(self.env, 0)), style_number)
                 list_balance.append((line["debit"], 0))
                 lines_data.append([[row, date, move, account, name, debit, credit]])
             if line["credit"] > 0:
-                debit = Paragraph(formatLang(self.env, 0), style_number)
-                credit = Paragraph(formatLang(self.env, line["credit"]), style_number)
+                debit = Paragraph(escape(formatLang(self.env, 0)), style_number)
+                credit = Paragraph(
+                    escape(formatLang(self.env, line["credit"])), style_number
+                )
                 list_balance.append((0, line["credit"]))
                 lines_data.append([[row, date, move, account, name, debit, credit]])
             for line_data in lines_data:
@@ -394,25 +400,24 @@ def get_final_tables_report_giornale(
 
         for line in self.env["account.move.line"].browse(move_line_ids):
             start_row += 1
-            row = Paragraph(str(start_row), style_name)
-            date = Paragraph(format_date(self.env, line.date), style_name)
-            ref = Paragraph(str(line.ref or ""), style_name)
+            row = Paragraph(escape(str(start_row)), style_name)
+            date = Paragraph(escape(format_date(self.env, line.date)), style_name)
+            ref = Paragraph(escape(str(line.ref or "")), style_name)
             move_name = line.move_id.name or ""
-            move = Paragraph(move_name, style_name)
+            move = Paragraph(escape(move_name), style_name)
             account_name = self._get_account_name_reportlab(line)
             # evitiamo che i caratteri < o > vengano interpretato come tag html
             # dalla libreria reportlab
-            account_name = account_name.replace("<", "&lt;").replace(">", "&gt;")
-            account = Paragraph(account_name, style_name)
+            account = Paragraph(escape(account_name), style_name)
             if line.account_id.account_type in [
                 "asset_receivable",
                 "liability_payable",
             ]:
-                name = Paragraph(str(line.partner_id.name or ""), style_name)
+                name = Paragraph(escape(str(line.partner_id.name or "")), style_name)
             else:
-                name = Paragraph(str(line.name or ""), style_name)
-            debit = Paragraph(formatLang(self.env, line.debit), style_number)
-            credit = Paragraph(formatLang(self.env, line.credit), style_number)
+                name = Paragraph(escape(str(line.name or "")), style_name)
+            debit = Paragraph(escape(formatLang(self.env, line.debit)), style_number)
+            credit = Paragraph(escape(formatLang(self.env, line.credit)), style_number)
             list_balance.append((line.debit, line.credit))
             line_data = [[row, date, ref, move, account, name, debit, credit]]
             if previous_move_name != move_name:
@@ -441,8 +446,8 @@ def get_balance_data_report_giornale(self, tot_debit, tot_credit, final=False):
                 "",
                 "",
                 name,
-                Paragraph(formatLang(self.env, tot_debit), style_number),
-                Paragraph(formatLang(self.env, tot_credit), style_number),
+                Paragraph(escape(formatLang(self.env, tot_debit)), style_number),
+                Paragraph(escape(formatLang(self.env, tot_credit)), style_number),
             ]
         ]
         return balance_data