Escape HTML in placeholder samples in mail preview (#4413)

CVE-2024-8113
2024-08-23 14:41:25 +02:00
parent a1db13b75e
commit f819f0c316
4 changed files with 11 additions and 8 deletions
--- a/src/pretix/control/views/vouchers.py
+++ b/src/pretix/control/views/vouchers.py
@@ -50,7 +50,7 @@ from django.http import (
 from django.shortcuts import redirect, render
 from django.urls import resolve, reverse
 from django.utils.functional import cached_property
-from django.utils.html import format_html
+from django.utils.html import format_html, escape
 from django.utils.safestring import mark_safe
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
@@ -563,7 +563,7 @@ class VoucherBulkMailPreview(EventPermissionRequiredMixin, View):
            else:
                ctx[p.identifier] = '<span class="placeholder" title="{}">{}</span>'.format(
                    _('This value will be replaced based on dynamic parameters.'),
-                    s
+                    escape(s)
                )
        return self.SafeDict(ctx)