CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

Escape HTML in placeholder samples in mail preview (#4413)

Browse Source 
CVE-2024-8113
This commit is contained in:
Mira
2024-08-23 14:41:25 +02:00
committed by GitHub
parent a1db13b75e
commit f819f0c316
4 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/pretix/control/views/event.py
View File

@@ -62,6 +62,7 @@ from django.http import (
from django.shortcuts import get_object_or_404, redirect
from django.urls import reverse
from django.utils.functional import cached_property
from django.utils.html import escape
from django.utils.http import url_has_allowed_host_and_scheme
from django.utils.timezone import now
from django.utils.translation import gettext, gettext_lazy as _, gettext_noop
@@ -727,7 +728,7 @@ class MailSettingsPreview(EventPermissionRequiredMixin, View):
else:
ctx[p.identifier] = '<span class="placeholder" title="{}">{}</span>'.format(
_('This value will be replaced based on dynamic parameters.'),
s
escape(s)
)
return ctx
@@ -777,7 +778,7 @@ class MailSettingsRendererPreview(MailSettingsPreview):
def placeholders(self, item):
ctx = {}
for p in get_available_placeholders(self.request.event, MailSettingsForm.base_context[item]).values():
ctx[p.identifier] = str(p.render_sample(self.request.event))
ctx[p.identifier] = escape(str(p.render_sample(self.request.event)))
return ctx
def get(self, request, *args, **kwargs):

4
src/pretix/control/views/vouchers.py
View File

@@ -50,7 +50,7 @@ from django.http import (
from django.shortcuts import redirect, render
from django.urls import resolve, reverse
from django.utils.functional import cached_property
from django.utils.html import format_html
from django.utils.html import format_html, escape
from django.utils.safestring import mark_safe
from django.utils.timezone import now
from django.utils.translation import gettext_lazy as _
@@ -563,7 +563,7 @@ class VoucherBulkMailPreview(EventPermissionRequiredMixin, View):
else:
ctx[p.identifier] = '<span class="placeholder" title="{}">{}</span>'.format(
_('This value will be replaced based on dynamic parameters.'),
s
escape(s)
)
return self.SafeDict(ctx)