[SECURITY] Fix XSS injection vulnerabilities in question answers, event, quota and product names

2017-08-20 15:30:13 +02:00
parent 24e5d337a6
commit 3428ea2f18
7 changed files with 49 additions and 14 deletions
--- a/src/pretix/control/templates/pretixcontrol/items/question.html
+++ b/src/pretix/control/templates/pretixcontrol/items/question.html
@@ -1,6 +1,7 @@
 {% extends "pretixcontrol/items/base.html" %}
 {% load i18n %}
 {% load bootstrap3 %}
+{% load escapejson %}
 {% load formset_tags %}
 {% block title %}{% blocktrans with name=question.question %}Question: {{ name }}{% endblocktrans %}{% endblock %}
 {% block inside %}
@@ -58,7 +59,7 @@
                <div class="chart" id="question_chart" data-type="{{ question.type }}">

                </div>
-                <script type="application/json" id="question-chart-data">{{ stats_json|safe }}</script>
+                <script type="application/json" id="question-chart-data">{{ stats_json|escapejson }}</script>
            </div>
            <div class="col-md-5 col-xs-12">
                <table class="table table-bordered table-hover">