[SECURITY] Fix stored XSS in help texts

2022-02-17 22:19:15 +01:00
parent 5922403d40
commit 80eb6826b3
3 changed files with 6 additions and 4 deletions
--- a/src/pretix/base/forms/questions.py
+++ b/src/pretix/base/forms/questions.py
@@ -705,7 +705,7 @@ class BaseQuestionsForm(forms.Form):
                    label=label, required=required,
                    min_value=q.valid_number_min or Decimal('0.00'),
                    max_value=q.valid_number_max,
-                    help_text=q.help_text,
+                    help_text=help_text,
                    initial=initial.answer if initial else None,
                )
            elif q.type == Question.TYPE_STRING:
--- a/src/pretix/presale/forms/checkout.py
+++ b/src/pretix/presale/forms/checkout.py
@@ -47,6 +47,7 @@ from pretix.base.forms.questions import (
    BaseInvoiceAddressForm, BaseQuestionsForm, WrappedPhoneNumberPrefixWidget,
    guess_phone_prefix,
 )
+from pretix.base.templatetags.rich_text import rich_text
 from pretix.base.validators import EmailBanlistValidator
 from pretix.presale.signals import contact_form_fields

@@ -82,7 +83,7 @@ class ContactForm(forms.Form):
            self.fields['phone'] = PhoneNumberField(
                label=_('Phone number'),
                required=self.event.settings.order_phone_required,
-                help_text=self.event.settings.checkout_phone_helptext,
+                help_text=rich_text(self.event.settings.checkout_phone_helptext),
                widget=WrappedPhoneNumberPrefixWidget()
            )

@@ -91,7 +92,7 @@ class ContactForm(forms.Form):
            # is an autofocus field. Who would have thought… See e.g. here:
            # https://floatboxjs.com/forum/topic.php?post=8440&usebb_sid=2e116486a9ec6b7070e045aea8cded5b#post8440
            self.fields['email'].widget.attrs['autofocus'] = 'autofocus'
-        self.fields['email'].help_text = self.event.settings.checkout_email_helptext
+        self.fields['email'].help_text = rich_text(self.event.settings.checkout_email_helptext)

        responses = contact_form_fields.send(self.event, request=self.request)
        for r, response in responses:
--- a/src/pretix/presale/forms/waitinglist.py
+++ b/src/pretix/presale/forms/waitinglist.py
@@ -28,6 +28,7 @@ from pretix.base.forms.questions import (
    NamePartsFormField, WrappedPhoneNumberPrefixWidget, guess_phone_prefix,
 )
 from pretix.base.models import Quota, WaitingListEntry
+from pretix.base.templatetags.rich_text import rich_text
 from pretix.presale.views.event import get_grouped_items


@@ -99,7 +100,7 @@ class WaitingListForm(forms.ModelForm):
            self.fields['phone'] = PhoneNumberField(
                label=_("Phone number"),
                required=event.settings.waiting_list_phones_required,
-                help_text=event.settings.waiting_list_phones_explanation_text,
+                help_text=rich_text(event.settings.waiting_list_phones_explanation_text),
                widget=WrappedPhoneNumberPrefixWidget()
            )
        else: