CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

[SECURITY] Fix stored XSS in help texts

Browse Source
This commit is contained in:
Raphael Michel
2022-02-17 22:19:15 +01:00
committed by Raphael Michel
parent 6d6883b343
commit a66fdc5084
3 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/pretix/base/forms/questions.py
View File

@@ -705,7 +705,7 @@ class BaseQuestionsForm(forms.Form):
label=label, required=required, label=label, required=required,
min_value=q.valid_number_min or Decimal('0.00'), min_value=q.valid_number_min or Decimal('0.00'),
max_value=q.valid_number_max, max_value=q.valid_number_max,
help_text=q.help_text, help_text=help_text,
initial=initial.answer if initial else None, initial=initial.answer if initial else None,
) )
elif q.type == Question.TYPE_STRING: elif q.type == Question.TYPE_STRING:

5
src/pretix/presale/forms/checkout.py
View File

@@ -47,6 +47,7 @@ from pretix.base.forms.questions import (
BaseInvoiceAddressForm, BaseQuestionsForm, WrappedPhoneNumberPrefixWidget, BaseInvoiceAddressForm, BaseQuestionsForm, WrappedPhoneNumberPrefixWidget,
guess_phone_prefix, guess_phone_prefix,
) )
from pretix.base.templatetags.rich_text import rich_text
from pretix.base.validators import EmailBanlistValidator from pretix.base.validators import EmailBanlistValidator
from pretix.presale.signals import contact_form_fields from pretix.presale.signals import contact_form_fields
@@ -82,7 +83,7 @@ class ContactForm(forms.Form):
self.fields['phone'] = PhoneNumberField( self.fields['phone'] = PhoneNumberField(
label=_('Phone number'), label=_('Phone number'),
required=self.event.settings.order_phone_required, required=self.event.settings.order_phone_required,
help_text=self.event.settings.checkout_phone_helptext, help_text=rich_text(self.event.settings.checkout_phone_helptext),
widget=WrappedPhoneNumberPrefixWidget() widget=WrappedPhoneNumberPrefixWidget()
) )
@@ -91,7 +92,7 @@ class ContactForm(forms.Form):
# is an autofocus field. Who would have thought… See e.g. here: # is an autofocus field. Who would have thought… See e.g. here:
# https://floatboxjs.com/forum/topic.php?post=8440&usebb_sid=2e116486a9ec6b7070e045aea8cded5b#post8440 # https://floatboxjs.com/forum/topic.php?post=8440&usebb_sid=2e116486a9ec6b7070e045aea8cded5b#post8440
self.fields['email'].widget.attrs['autofocus'] = 'autofocus' self.fields['email'].widget.attrs['autofocus'] = 'autofocus'
self.fields['email'].help_text = self.event.settings.checkout_email_helptext self.fields['email'].help_text = rich_text(self.event.settings.checkout_email_helptext)
responses = contact_form_fields.send(self.event, request=self.request) responses = contact_form_fields.send(self.event, request=self.request)
for r, response in responses: for r, response in responses:

3
src/pretix/presale/forms/waitinglist.py
View File

@@ -28,6 +28,7 @@ from pretix.base.forms.questions import (
NamePartsFormField, WrappedPhoneNumberPrefixWidget, guess_phone_prefix, NamePartsFormField, WrappedPhoneNumberPrefixWidget, guess_phone_prefix,
) )
from pretix.base.models import Quota, WaitingListEntry from pretix.base.models import Quota, WaitingListEntry
from pretix.base.templatetags.rich_text import rich_text
from pretix.presale.views.event import get_grouped_items from pretix.presale.views.event import get_grouped_items
@@ -99,7 +100,7 @@ class WaitingListForm(forms.ModelForm):
self.fields['phone'] = PhoneNumberField( self.fields['phone'] = PhoneNumberField(
label=_("Phone number"), label=_("Phone number"),
required=event.settings.waiting_list_phones_required, required=event.settings.waiting_list_phones_required,
help_text=event.settings.waiting_list_phones_explanation_text, help_text=rich_text(event.settings.waiting_list_phones_explanation_text),
widget=WrappedPhoneNumberPrefixWidget() widget=WrappedPhoneNumberPrefixWidget()
) )
else: else: