[SECURITY] Fix XSS vulnerability in Lightbox caption

2017-08-21 12:13:22 +02:00
parent 9a9bb92f91
commit fb398a5520
2 changed files with 8 additions and 4 deletions
--- a/src/pretix/presale/templates/pretixpresale/event/index.html
+++ b/src/pretix/presale/templates/pretixpresale/event/index.html
@@ -170,7 +170,8 @@
                                        <div class="col-md-8 col-xs-12">
                                            {% if item.picture %}
                                                <a href="{{ item.picture.url }}" class="productpicture"
-                                                        data-title="{{ item.name }}"
+                                                        data-title="{{ item.name|force_escape|force_escape }}"
+                                                        {# Yes, double-escape to prevent XSS in lightbox #}
                                                        data-lightbox="{{ item.id }}">
                                                    <img src="{{ item.picture|thumbnail_url:'productlist' }}"
                                                            alt="{{ item.name }}"/>
@@ -281,7 +282,8 @@
                                    <div class="col-md-8 col-xs-12">
                                        {% if item.picture %}
                                            <a href="{{ item.picture.url }}" class="productpicture"
-                                                    data-title="{{ item.name }}"
+                                                    data-title="{{ item.name|force_escape|force_escape }}"
+                                                    {# Yes, double-escape to prevent XSS in lightbox #}
                                                    data-lightbox="{{ item.id }}">
                                                <img src="{{ item.picture|thumbnail_url:'productlist' }}"
                                                        alt="{{ item.name }}"/>
--- a/src/pretix/presale/templates/pretixpresale/event/voucher.html
+++ b/src/pretix/presale/templates/pretixpresale/event/voucher.html
@@ -38,7 +38,8 @@
                                    <div class="col-md-8 col-xs-12">
                                        {% if item.picture %}
                                            <a href="{{ item.picture.url }}" class="productpicture"
-                                                    data-title="{{ item.name }}"
+                                                    data-title="{{ item.name|force_escape|force_escape }}"
+                                                    {# Yes, double-escape to prevent XSS in lightbox #}
                                                    data-lightbox="{{ item.id }}">
                                                <img src="{{ item.picture|thumbnail_url:'productlist' }}"
                                                        alt="{{ item.name }}"/>
@@ -125,7 +126,8 @@
                                <div class="col-md-8 col-xs-12">
                                    {% if item.picture %}
                                        <a href="{{ item.picture.url }}" class="productpicture"
-                                                data-title="{{ item.name }}"
+                                                data-title="{{ item.name|force_escape|force_escape }}"
+                                                {# Yes, double-escape to prevent XSS in lightbox #}
                                                data-lightbox="{{ item.id }}">
                                            <img src="{{ item.picture|thumbnail_url:'productlist' }}"
                                                    alt="{{ item.name }}"/>