CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

PDF renderer: Properly escape HTML in some fields

Browse Source
This commit is contained in:
Raphael Michel
2019-10-29 12:10:30 +01:00
parent 70e95b42fa
commit 9ed49fb379
1 changed files with 15 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
src/pretix/base/pdf.py
View File

@@ -14,6 +14,7 @@ from django.conf import settings
from django.contrib.staticfiles import finders from django.contrib.staticfiles import finders
from django.dispatch import receiver from django.dispatch import receiver
from django.utils.formats import date_format from django.utils.formats import date_format
from django.utils.html import escape
from django.utils.timezone import now from django.utils.timezone import now
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from PyPDF2 import PdfFileReader from PyPDF2 import PdfFileReader
@@ -55,32 +56,32 @@ DEFAULT_VARIABLES = OrderedDict((
("item", { ("item", {
"label": _("Product name"), "label": _("Product name"),
"editor_sample": _("Sample product"), "editor_sample": _("Sample product"),
"evaluate": lambda orderposition, order, event: str(orderposition.item.name) "evaluate": lambda orderposition, order, event: escape(str(orderposition.item.name))
}), }),
("variation", { ("variation", {
"label": _("Variation name"), "label": _("Variation name"),
"editor_sample": _("Sample variation"), "editor_sample": _("Sample variation"),
"evaluate": lambda op, order, event: str(op.variation) if op.variation else '' "evaluate": lambda op, order, event: escape(str(op.variation) if op.variation else '')
}), }),
("item_description", { ("item_description", {
"label": _("Product description"), "label": _("Product description"),
"editor_sample": _("Sample product description"), "editor_sample": _("Sample product description"),
"evaluate": lambda orderposition, order, event: str(orderposition.item.description) "evaluate": lambda orderposition, order, event: escape(str(orderposition.item.description))
}), }),
("itemvar", { ("itemvar", {
"label": _("Product name and variation"), "label": _("Product name and variation"),
"editor_sample": _("Sample product sample variation"), "editor_sample": _("Sample product sample variation"),
"evaluate": lambda orderposition, order, event: ( "evaluate": lambda orderposition, order, event: escape((
'{} - {}'.format(orderposition.item.name, orderposition.variation) '{} - {}'.format(orderposition.item.name, orderposition.variation)
if orderposition.variation else str(orderposition.item.name) if orderposition.variation else str(orderposition.item.name)
) ))
}), }),
("item_category", { ("item_category", {
"label": _("Product category"), "label": _("Product category"),
"editor_sample": _("Ticket category"), "editor_sample": _("Ticket category"),
"evaluate": lambda orderposition, order, event: ( "evaluate": lambda orderposition, order, event: escape((
str(orderposition.item.category.name) if orderposition.item.category else "" str(orderposition.item.category.name) if orderposition.item.category else ""
) ))
}), }),
("price", { ("price", {
"label": _("Price"), "label": _("Price"),
@@ -99,12 +100,12 @@ DEFAULT_VARIABLES = OrderedDict((
("attendee_name", { ("attendee_name", {
"label": _("Attendee name"), "label": _("Attendee name"),
"editor_sample": _("John Doe"), "editor_sample": _("John Doe"),
"evaluate": lambda op, order, ev: op.attendee_name or (op.addon_to.attendee_name if op.addon_to else '') "evaluate": lambda op, order, ev: escape(op.attendee_name or (op.addon_to.attendee_name if op.addon_to else ''))
}), }),
("event_name", { ("event_name", {
"label": _("Event name"), "label": _("Event name"),
"editor_sample": _("Sample event name"), "editor_sample": _("Sample event name"),
"evaluate": lambda op, order, ev: str(ev.name) "evaluate": lambda op, order, ev: escape(str(ev.name))
}), }),
("event_date", { ("event_date", {
"label": _("Event date"), "label": _("Event date"),
@@ -185,12 +186,12 @@ DEFAULT_VARIABLES = OrderedDict((
("invoice_name", { ("invoice_name", {
"label": _("Invoice address name"), "label": _("Invoice address name"),
"editor_sample": _("John Doe"), "editor_sample": _("John Doe"),
"evaluate": lambda op, order, ev: order.invoice_address.name if getattr(order, 'invoice_address', None) else '' "evaluate": lambda op, order, ev: escape(order.invoice_address.name if getattr(order, 'invoice_address', None) else '')
}), }),
("invoice_company", { ("invoice_company", {
"label": _("Invoice address company"), "label": _("Invoice address company"),
"editor_sample": _("Sample company"), "editor_sample": _("Sample company"),
"evaluate": lambda op, order, ev: order.invoice_address.company if getattr(order, 'invoice_address', None) else '' "evaluate": lambda op, order, ev: escape(order.invoice_address.company if getattr(order, 'invoice_address', None) else '')
}), }),
("addons", { ("addons", {
"label": _("List of Add-Ons"), "label": _("List of Add-Ons"),
@@ -207,7 +208,7 @@ DEFAULT_VARIABLES = OrderedDict((
("organizer", { ("organizer", {
"label": _("Organizer name"), "label": _("Organizer name"),
"editor_sample": _("Event organizer company"), "editor_sample": _("Event organizer company"),
"evaluate": lambda op, order, ev: str(order.event.organizer.name) "evaluate": lambda op, order, ev: escape(str(order.event.organizer.name))
}), }),
("organizer_info_text", { ("organizer_info_text", {
"label": _("Organizer info text"), "label": _("Organizer info text"),
@@ -300,11 +301,11 @@ def variables_from_questions(sender, *args, **kwargs):
def _get_attendee_name_part(key, op, order, ev): def _get_attendee_name_part(key, op, order, ev):
return op.attendee_name_parts.get(key, '') return escape(op.attendee_name_parts.get(key, ''))
def _get_ia_name_part(key, op, order, ev): def _get_ia_name_part(key, op, order, ev):
return order.invoice_address.name_parts.get(key, '') if getattr(order, 'invoice_address', None) else '' return escape(order.invoice_address.name_parts.get(key, '') if getattr(order, 'invoice_address', None) else '')
def get_variables(event): def get_variables(event):