[SECURITY] Fix XSS injection vulnerabilities in question answers, event, quota and product names

2017-08-20 15:30:13 +02:00
parent 24e5d337a6
commit 3428ea2f18
7 changed files with 49 additions and 14 deletions
--- a/src/pretix/control/templates/pretixcontrol/items/question.html
+++ b/src/pretix/control/templates/pretixcontrol/items/question.html
@@ -1,6 +1,7 @@
 {% extends "pretixcontrol/items/base.html" %}
 {% load i18n %}
 {% load bootstrap3 %}
+{% load escapejson %}
 {% load formset_tags %}
 {% block title %}{% blocktrans with name=question.question %}Question: {{ name }}{% endblocktrans %}{% endblock %}
 {% block inside %}
@@ -58,7 +59,7 @@
                <div class="chart" id="question_chart" data-type="{{ question.type }}">

                </div>
-                <script type="application/json" id="question-chart-data">{{ stats_json|safe }}</script>
+                <script type="application/json" id="question-chart-data">{{ stats_json|escapejson }}</script>
            </div>
            <div class="col-md-5 col-xs-12">
                <table class="table table-bordered table-hover">
--- a/src/pretix/control/templates/pretixcontrol/items/quota.html
+++ b/src/pretix/control/templates/pretixcontrol/items/quota.html
@@ -1,6 +1,7 @@
 {% extends "pretixcontrol/items/base.html" %}
 {% load i18n %}
 {% load bootstrap3 %}
+{% load escapejson %}
 {% load eventsignal %}
 {% block title %}{% blocktrans with name=quota.name %}Quota: {{ name }}{% endblocktrans %}{% endblock %}
 {% block inside %}
@@ -25,7 +26,7 @@
            <div class="chart" id="quota_chart">

            </div>
-            <script type="application/json" id="quota-chart-data">{{ quota_chart_data|safe }}</script>
+            <script type="application/json" id="quota-chart-data">{{ quota_chart_data|escapejson }}</script>
        </div>
        <div class="col-md-5 col-xs-12">
            <legend>{% trans "Availability calculation" %}</legend>
--- a/src/pretix/control/views/dashboards.py
+++ b/src/pretix/control/views/dashboards.py
@@ -8,6 +8,7 @@ from django.shortcuts import render
 from django.template.loader import get_template
 from django.utils import formats
 from django.utils.formats import date_format
+from django.utils.html import escape
 from django.utils.translation import ugettext_lazy as _

 from pretix.base.models import (
@@ -136,7 +137,7 @@ def quota_widgets(sender, **kwargs):
        status, left = q.availability()
        widgets.append({
            'content': NUM_WIDGET.format(num='{}/{}'.format(left, q.size) if q.size is not None else '\u221e',
-                                         text=_('{quota} left').format(quota=q.name)),
+                                         text=_('{quota} left').format(quota=escape(q.name))),
            'display_size': 'small',
            'priority': 50,
            'url': reverse('control:event.items.quotas.show', kwargs={
@@ -258,7 +259,8 @@ def user_event_widgets(**kwargs):
    for event in events:
        widgets.append({
            'content': '<div class="event">{event}<span class="from">{df}</span><span class="to">{dt}</span></div>'.format(
-                event=event.name, df=date_format(event.date_from, 'SHORT_DATE_FORMAT') if event.date_from else '',
+                event=escape(event.name),
+                df=date_format(event.date_from, 'SHORT_DATE_FORMAT') if event.date_from else '',
                dt=date_format(event.date_to, 'SHORT_DATE_FORMAT') if event.date_to else ''
            ),
            'display_size': 'small',