From 1b88a84a8375abfad9a3a1fd68d9453737e89e33 Mon Sep 17 00:00:00 2001
From: Martin Gross <gross@rami.io>
Date: Wed, 8 Apr 2026 12:34:26 +0200
Subject: [PATCH] Move validation into form field.

---
 src/pretix/base/forms/questions.py   |  7 ++++++-
 src/pretix/presale/forms/customer.py | 11 -----------
 2 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/src/pretix/base/forms/questions.py b/src/pretix/base/forms/questions.py
index 0dec88e90..7e80db026 100644
--- a/src/pretix/base/forms/questions.py
+++ b/src/pretix/base/forms/questions.py
@@ -90,7 +90,7 @@ from pretix.base.settings import (
     COUNTRIES_WITH_STATE_IN_ADDRESS, COUNTRY_STATE_LABEL,
     PERSON_NAME_SALUTATIONS, PERSON_NAME_SCHEMES, PERSON_NAME_TITLE_GROUPS,
 )
-from pretix.base.templatetags.rich_text import rich_text
+from pretix.base.templatetags.rich_text import rich_text, URL_RE
 from pretix.base.timemachine import time_machine_now
 from pretix.control.forms import (
     ExtFileField, ExtValidationMixin, SizeValidationMixin, SplitDateTimeField,
@@ -227,6 +227,11 @@ class NamePartsFormField(forms.MultiValueField):
                     # bots.
                     r'^[^$€/%§{}<>~]*$',
                     message=_('Please do not use special characters in names.')
+                ),
+                RegexValidator(
+                    URL_RE,
+                    inverse_match=True,
+                    message=_('Please do not use special characters in names.')
                 )
             ]
         }
diff --git a/src/pretix/presale/forms/customer.py b/src/pretix/presale/forms/customer.py
index d865b2550..ac35edf72 100644
--- a/src/pretix/presale/forms/customer.py
+++ b/src/pretix/presale/forms/customer.py
@@ -43,7 +43,6 @@ from pretix.base.forms.questions import (
 )
 from pretix.base.i18n import get_language_without_region
 from pretix.base.models import Customer
-from pretix.base.templatetags.rich_text import URL_RE
 from pretix.helpers.http import get_client_ip
 from pretix.multidomain.urlreverse import build_absolute_uri
 
@@ -151,7 +150,6 @@ class RegistrationForm(forms.Form):
             "instead."
         ),
         'required': _('This field is required.'),
-        'invalid_characters': _('Please do not use special characters in names.'),
     }
 
     def __init__(self, request=None, *args, **kwargs):
@@ -238,15 +236,6 @@ class RegistrationForm(forms.Form):
                     code='duplicate',
                 )
 
-        # Since the name is user-controlled and can end up in emails sent to customers
-        # we want to sanitize for domains and avoid becoming part of a spamming operation.
-        for name_part in self.cleaned_data.get('name_parts', {}).values():
-            if URL_RE.search(name_part):
-                raise forms.ValidationError(
-                    {'name_parts': self.error_messages['invalid_characters']},
-                    code='invalid_characters',
-                )
-
         if self.standalone:
             expect = -1
             try: