From 79cbfac0922066c4f92f6a9eb7a91c34772e295c Mon Sep 17 00:00:00 2001
From: PCoder <purple.coder@yahoo.co.uk>
Date: Thu, 12 Nov 2020 12:12:46 +0530
Subject: [PATCH 1/5] Escape ssh key before storing

---
 hosting/forms.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hosting/forms.py b/hosting/forms.py
index 947cee44..8df2bd3e 100644
--- a/hosting/forms.py
+++ b/hosting/forms.py
@@ -2,6 +2,7 @@ import datetime
 import logging
 import subprocess
 import tempfile
+import xml
 
 from django import forms
 from django.conf import settings
@@ -207,7 +208,7 @@ class UserHostingKeyForm(forms.ModelForm):
                 logger.debug(
                     "Not a correct ssh format {error}".format(error=str(cpe)))
                 raise forms.ValidationError(KEY_ERROR_MESSAGE)
-        return openssh_pubkey_str
+        return xml.sax.saxutils.escape(openssh_pubkey_str)
 
     def clean_name(self):
         INVALID_NAME_MESSAGE = _("Comma not accepted in the name of the key")

From 52362cd0ea413e4b8da4a4ba06615d84825d2a35 Mon Sep 17 00:00:00 2001
From: PCoder <purple.coder@yahoo.co.uk>
Date: Tue, 1 Dec 2020 17:12:29 +0530
Subject: [PATCH 2/5] In case of error, log it and return empty result

---
 datacenterlight/templatetags/custom_tags.py | 40 +++++++++++----------
 1 file changed, 22 insertions(+), 18 deletions(-)

diff --git a/datacenterlight/templatetags/custom_tags.py b/datacenterlight/templatetags/custom_tags.py
index 8003be0e..0015ac58 100644
--- a/datacenterlight/templatetags/custom_tags.py
+++ b/datacenterlight/templatetags/custom_tags.py
@@ -72,25 +72,29 @@ def get_line_item_from_hosting_order_charge(hosting_order_id):
     :param hosting_order_id: the HostingOrder id
     :return:
     """
-    hosting_order = HostingOrder.objects.get(id = hosting_order_id)
-    if hosting_order.stripe_charge_id:
-        return mark_safe("""
-                    <td class="xs-td-inline">{product_name}</td>
-                    <td class="xs-td-inline">{created_at}</td>
-                    <td class="xs-td-inline">{total}</td>
-                    <td class="text-right last-td">
-                        <a class="btn btn-order-detail" href="{receipt_url}" target="_blank">{see_invoice_text}</a>
-                    </td>
-        """.format(
-            product_name=hosting_order.generic_product.product_name.capitalize(),
-            created_at=hosting_order.created_at.strftime('%Y-%m-%d'),
-            total='%.2f' % (hosting_order.price),
-            receipt_url=reverse('hosting:orders',
-                                kwargs={'pk': hosting_order.id}),
+    try:
+        hosting_order = HostingOrder.objects.get(id = hosting_order_id)
+        if hosting_order.stripe_charge_id:
+            return mark_safe("""
+                        <td class="xs-td-inline">{product_name}</td>
+                        <td class="xs-td-inline">{created_at}</td>
+                        <td class="xs-td-inline">{total}</td>
+                        <td class="text-right last-td">
+                            <a class="btn btn-order-detail" href="{receipt_url}" target="_blank">{see_invoice_text}</a>
+                        </td>
+            """.format(
+                product_name=hosting_order.generic_product.product_name.capitalize(),
+                created_at=hosting_order.created_at.strftime('%Y-%m-%d'),
+                total='%.2f' % (hosting_order.price),
+                receipt_url=reverse('hosting:orders',
+                                    kwargs={'pk': hosting_order.id}),
 
-            see_invoice_text=_("See Invoice")
-        ))
-    else:
+                see_invoice_text=_("See Invoice")
+            ))
+        else:
+            return ""
+    except Exception as ex:
+        logger.error("Error %s" % str(ex))
         return ""
 
 

From e8b79d6951fd2af3b42842fa8cb7be3c4d427b60 Mon Sep 17 00:00:00 2001
From: PCoder <purple.coder@yahoo.co.uk>
Date: Tue, 1 Dec 2020 17:12:55 +0530
Subject: [PATCH 3/5] Return emtpty string when plan is not set

---
 datacenterlight/templatetags/custom_tags.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/datacenterlight/templatetags/custom_tags.py b/datacenterlight/templatetags/custom_tags.py
index 0015ac58..120cabbf 100644
--- a/datacenterlight/templatetags/custom_tags.py
+++ b/datacenterlight/templatetags/custom_tags.py
@@ -114,7 +114,7 @@ def get_line_item_from_stripe_invoice(invoice):
     plan_name = ""
     for line_data in invoice["lines"]["data"]:
         if is_first:
-            plan_name = line_data.plan.name
+            plan_name = line_data.plan.name if line_data.plan is not None else ""
             start_date = line_data.period.start
             end_date = line_data.period.end
             is_first = False

From d980fb00003c15008a95bb3e9176e1f481926195 Mon Sep 17 00:00:00 2001
From: PCoder <purple.coder@yahoo.co.uk>
Date: Tue, 1 Dec 2020 17:13:09 +0530
Subject: [PATCH 4/5] Quote email in links

---
 hosting/views.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hosting/views.py b/hosting/views.py
index 438a0d55..d03661fd 100644
--- a/hosting/views.py
+++ b/hosting/views.py
@@ -1,6 +1,7 @@
 import logging
 import uuid
 from datetime import datetime
+from urllib.parse import quote
 from time import sleep
 
 import stripe
@@ -1292,7 +1293,7 @@ class InvoiceListView(LoginRequiredMixin, TemplateView):
         if ('user_email' in self.request.GET
             and self.request.user.email == settings.ADMIN_EMAIL):
             user_email = self.request.GET['user_email']
-            context['user_email'] = user_email
+            context['user_email'] = '%s' % quote(user_email)
             logger.debug(
                 "user_email = {}".format(user_email)
             )

From bf1aad82b8e6a3c60d5218007e894b758df4061c Mon Sep 17 00:00:00 2001
From: PCoder <purple.coder@yahoo.co.uk>
Date: Wed, 2 Dec 2020 18:38:37 +0530
Subject: [PATCH 5/5] Update Changelog for 2.13

---
 Changelog | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Changelog b/Changelog
index 43d3495f..fdadadf1 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,6 @@
+2.13: 2020-12-02
+   * 8654: Fix 500 error on invoices list for the user contact+devuanhosting.com@virus.media (MR!742)
+   * 8593: Escape user's ssh key in xml-rpc call to create VM (MR!741)
 2.12.1: 2020-07-21
    * 8307: Introduce "Exclude vat calculations" for Generic Products (MR!740)
    *       Change DE VAT rate to 16% from 19% (MR!739)