CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

Fix HTML injection in error message (Z#23225396) (#5921)

Browse Source 
We're not treating it as a security issue as there is no vector to
inject the HTML into other people's browser, only one's own.
This commit is contained in:
Raphael Michel
2026-02-24 12:48:43 +01:00
committed by GitHub
parent bf33a42ae8
commit ab447bb85f
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/pretix/control/views/event.py
View File

@@ -870,11 +870,15 @@ class MailSettingsPreview(EventPermissionRequiredMixin, View):
) )
except ValueError: except ValueError:
msgs[self.supported_locale[idx]] = '<div class="alert alert-danger">{}</div>'.format( msgs[self.supported_locale[idx]] = format_html(
PlaceholderValidator.error_message) '<div class="alert alert-danger">{}</div>',
PlaceholderValidator.error_message
)
except KeyError as e: except KeyError as e:
msgs[self.supported_locale[idx]] = '<div class="alert alert-danger">{}</div>'.format( msgs[self.supported_locale[idx]] = format_html(
_('Invalid placeholder: {%(value)s}') % {'value': e.args[0]}) '<div class="alert alert-danger">{}</div>',
_('Invalid placeholder: {%(value)s}') % {'value': e.args[0]}
)
return JsonResponse({ return JsonResponse({
'item': preview_item, 'item': preview_item,