CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

[SECURITY] Prevent HTML injection through placeholders in emails

Browse Source 
Co-authored-by: luelista <weller@pretix.eu>
This commit is contained in:
Raphael Michel
2025-11-24 00:04:24 +01:00
parent bfab523d83
commit fdd34f387a
9 changed files with 219 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/pretix/base/email.py
View File

@@ -133,11 +133,11 @@ class TemplateBasedMailRenderer(BaseHTMLMailRenderer):
def template_name(self):
raise NotImplementedError()
def compile_markdown(self, plaintext):
return markdown_compile_email(plaintext)
def compile_markdown(self, plaintext, context=None):
return markdown_compile_email(plaintext, context=context)
def render(self, plain_body: str, plain_signature: str, subject: str, order, position, context) -> str:
body_md = self.compile_markdown(plain_body)
body_md = self.compile_markdown(plain_body, context)
if context:
body_md = format_map(body_md, context=context, mode=SafeFormatter.MODE_RICH_TO_HTML)
htmlctx = {