fix(chatter): wrap HTML message_post bodies in Markup() — 4 sites

Four message_post calls were passing strings with HTML tags as plain `body=_(...)` instead of `body=Markup(_(...))`. Odoo escapes non-Markup strings, so the chatter rendered "<b>QA Review failed</b>" as literal text instead of bolding it. Original bug surfaced via the Contract Review (QA-005) flow: body: "<b>QA Review failed</b> by Garry Singh. Awaiting client information.<br/><b>Reason:</b><br/> <div data-oe-version=\"2.0\">Need to get updated drawing...</div>" Audit scan turned up three more identical patterns: fusion_plating/models/fp_parent_numbered_mixin.py:118 "Issued <strong>%s</strong> to ..." fusion_plating_jobs/models/sale_order.py:282 "Confirmed quote <strong>%s</strong> as <strong>%s</strong>." fusion_plating_quality/models/fp_contract_review.py:430 "<b>QA Review failed</b> by ... <b>Reason:</b><br/>%(reason)s" fusion_plating_quality/models/fp_contract_review.py:524 "<b>QA Review completed</b> by ... <b>Special Instructions captured:</b><br/>%(notes)s" Fixes: - Wrapped each body=_(...) with Markup(_(...)) using the Markup(template) % values pattern (auto-escapes the substituted values; user-supplied free text stays safe). - For Html-field substitutions (qa_failure_reason, special_instructions), explicitly wrapped the value in Markup() so already-formatted HTML editor content (with data-oe-version="2.0" wrapper divs) flows through without being re-escaped. - Added `from markupsafe import Markup` to the two files that didn't already import it (mixin + contract_review). Drift cleanup: pulled the 180-line newer fp_contract_review.py from entech to the local repo (added action_qa_review_failed, action_open_client_email_wizard, action_view_client_emails, action_complete_after_info, awaiting_info state, qa_failure_reason + special_instructions Html fields, etc. that had been edited on entech without being committed). Tested by re-posting via odoo shell on review 10: body now stores "<b>QA Review failed</b>..." with literal HTML tags instead of the double-escaped "<b>..." entities. Old chatter records with the bad escape stay as-is in the audit trail. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 08:41:39 -04:00
parent e7c6960de9
commit f07e1bcce1
6 changed files with 196 additions and 14 deletions
--- a/fusion_plating/fusion_plating/manifest.py
+++ b/fusion_plating/fusion_plating/manifest.py
@@ -5,7 +5,7 @@

 {
    'name': 'Fusion Plating',
-    'version': '19.0.18.15.15',
+    'version': '19.0.18.15.16',
    'category': 'Manufacturing/Plating',
    'summary': 'Core plating / metal finishing ERP: facilities, processes, tanks, baths, jobs, operators.',
    'description': """
--- a/fusion_plating/fusion_plating/models/fp_parent_numbered_mixin.py
+++ b/fusion_plating/fusion_plating/models/fp_parent_numbered_mixin.py
@@ -13,6 +13,7 @@ for the design rationale.
 """
 import re

+from markupsafe import Markup
 from odoo import fields, models
 from odoo.exceptions import UserError
 from odoo.tools.translate import _
@@ -115,9 +116,9 @@ class FpParentNumberedMixin(models.AbstractModel):
            (new_name, new_index, self.id),
        )
        self.invalidate_recordset(['name', 'x_fc_doc_index'])
-        so.message_post(body=_(
+        so.message_post(body=Markup(_(
            'Issued <strong>%s</strong> to %s #%s.'
-        ) % (new_name, self._name, self.id))
+        )) % (new_name, self._name, self.id))
        return True

    # ------------------------------------------------------------------