From fb9d677d76f6c77fe39a6b2785f9a7ef707a6e2d Mon Sep 17 00:00:00 2001 From: Raphael Michel Date: Thu, 7 Sep 2017 23:29:21 +0200 Subject: [PATCH] CSP: Allow blob: URLs for images in PDFs --- src/pretix/plugins/ticketoutputpdf/views.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/pretix/plugins/ticketoutputpdf/views.py b/src/pretix/plugins/ticketoutputpdf/views.py index 922e4fc5b..7c0bdda7e 100644 --- a/src/pretix/plugins/ticketoutputpdf/views.py +++ b/src/pretix/plugins/ticketoutputpdf/views.py @@ -20,7 +20,6 @@ from pretix.base.models import ( CachedCombinedTicket, CachedFile, CachedTicket, InvoiceAddress, ) from pretix.control.permissions import EventPermissionRequiredMixin -from pretix.control.views import ChartContainingView from pretix.helpers.database import rolledback_transaction from pretix.plugins.ticketoutputpdf.signals import get_fonts @@ -29,7 +28,7 @@ from .ticketoutput import PdfTicketOutput logger = logging.getLogger(__name__) -class EditorView(EventPermissionRequiredMixin, ChartContainingView, TemplateView): +class EditorView(EventPermissionRequiredMixin, TemplateView): template_name = 'pretixplugins/ticketoutputpdf/index.html' permission = 'can_change_settings' accepted_formats = ( @@ -38,6 +37,11 @@ class EditorView(EventPermissionRequiredMixin, ChartContainingView, TemplateView maxfilesize = 1024 * 1024 * 10 minfilesize = 10 + def get(self, request, *args, **kwargs): + resp = super().get(request, *args, **kwargs) + resp['Content-Security-Policy'] = "script-src 'unsafe-eval'; style-src 'unsafe-inline'; img-src blob:; font-src data: blob:" + return resp + def process_upload(self): f = self.request.FILES.get('background') error = False