Fix HTML injection in error message (Z#23225396) (#5921)

We're not treating it as a security issue as there is no vector to inject the HTML into other people's browser, only one's own.
2026-02-24 12:48:43 +01:00
parent bf33a42ae8
commit ab447bb85f
1 changed files with 8 additions and 4 deletions
--- a/src/pretix/control/views/event.py
+++ b/src/pretix/control/views/event.py
@@ -870,11 +870,15 @@ class MailSettingsPreview(EventPermissionRequiredMixin, View):
                                )

                        except ValueError:
-                            msgs[self.supported_locale[idx]] = '<div class="alert alert-danger">{}</div>'.format(
-                                PlaceholderValidator.error_message)
+                            msgs[self.supported_locale[idx]] = format_html(
+                                '<div class="alert alert-danger">{}</div>',
+                                PlaceholderValidator.error_message
+                            )
                        except KeyError as e:
-                            msgs[self.supported_locale[idx]] = '<div class="alert alert-danger">{}</div>'.format(
-                                _('Invalid placeholder: {%(value)s}') % {'value': e.args[0]})
+                            msgs[self.supported_locale[idx]] = format_html(
+                                '<div class="alert alert-danger">{}</div>',
+                                _('Invalid placeholder: {%(value)s}') % {'value': e.args[0]}
+                            )

        return JsonResponse({
            'item': preview_item,