Make microdata XSS-safe and subevent-aware

src/pretix/base/models/event.py

@@ -22,6 +22,7 @@ from pretix.base.models.base import LoggedModel
 from pretix.base.reldate import RelativeDateWrapper
 from pretix.base.validators import EventSlugBlacklistValidator
 from pretix.helpers.daterange import daterange
+from pretix.helpers.json import safe_string
 
 from ..settings import settings_hierarkey
 from .organizer import Organizer
@@ -103,6 +104,30 @@ class EventMixin:
             return False
         return True
 
+    @property
+    def event_microdata(self):
+        import json
+
+        eventdict = {
+            "@context": "http://schema.org",
+            "@type": "Event", "location": {
+                "@type": "Place",
+                "address": str(self.location)
+            },
+            "name": str(self.name)
+        }
+
+        if self.settings.show_times:
+            eventdict["startDate"] = self.date_from.isoformat()
+            if self.settings.show_date_to and self.date_to is not None:
+                eventdict["endDate"] = self.date_to.isoformat()
+        else:
+            eventdict["startDate"] = self.date_from.date().isoformat()
+            if self.settings.show_date_to and self.date_to is not None:
+                eventdict["endDate"] = self.date_to.date().isoformat()
+
+        return safe_string(json.dumps(eventdict))
+
 
 @settings_hierarkey.add(parent_field='organizer', cache_namespace='event')
 class Event(EventMixin, LoggedModel):
@@ -365,26 +390,6 @@ class Event(EventMixin, LoggedModel):
                 providers[pp.identifier] = pp
         return providers
 
-    @property
-    def event_microdata(self):
-        import json
-
-        eventdict = {"@context": "http://schema.org", "@type": "Event"}
-        eventdict["location"] = {"@type": "Place",
-                                 "address": str(self.location)}
-        if self.settings.show_times:
-            eventdict["startDate"] = self.date_from.isoformat()
-            if self.settings.show_date_to and self.date_to is not None:
-                eventdict["endDate"] = self.date_to.isoformat()
-        else:
-            eventdict["startDate"] = self.date_from.date().isoformat()
-            if self.settings.show_date_to and self.date_to is not None:
-                eventdict["endDate"] = self.date_to.date().isoformat()
-
-        eventdict["name"] = str(self.name)
-
-        return json.dumps(eventdict)
-
     def get_invoice_renderers(self) -> dict:
         """
         Returns a dictionary of initialized invoice renderers mapped by their identifiers.

src/pretix/helpers/json.py

@@ -9,3 +9,7 @@ class CustomJSONEncoder(I18nJSONEncoder):
             return obj.to_string()
         else:
             return super().default(obj)
+
+
+def safe_string(original):
+    return original.replace("<", "\\u003C").replace(">", "\\u003E")

src/pretix/presale/templates/pretixpresale/base.html

@@ -30,13 +30,6 @@
         <script type="text/javascript" src="{% static "pretixpresale/js/ui/typocheck.js" %}"></script>
         <script type="text/javascript" src="{% static "lightbox/js/lightbox.min.js" %}"></script>
     {% endcompress %}
-    {% if event %}
-        {% autoescape off %}
-        <script type="application/ld+json">
-            {{ event.event_microdata }}
-        </script>
-        {% endautoescape %}
-    {% endif %}
     <meta name="referrer" content="origin">
     {{ html_head|safe }}
     <meta name="viewport" content="width=device-width, initial-scale=1">

src/pretix/presale/templates/pretixpresale/event/index.html

@@ -8,6 +8,12 @@
 {% block title %}{% trans "Presale" %}{% endblock %}
 
 {% block content %}
+
+    {% autoescape off %}
+        <script type="application/ld+json">
+            {{ ev.event_microdata }}
+        </script>
+    {% endautoescape %}
     {% if show_cart %}
         <div class="panel panel-primary cart">
             <div class="panel-heading">