Bump version to 2024.5.1

CVE-2024-8113

src/pretix/__init__.py

@@ -19,4 +19,4 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-__version__ = "2024.6.0.dev0"
+__version__ = "2024.5.1"

src/pretix/base/forms/widgets.py

@@ -38,6 +38,7 @@ from datetime import datetime
 from django import forms
 from django.utils.formats import get_format
 from django.utils.functional import lazy
+from django.utils.html import escape
 from django.utils.timezone import get_current_timezone, now
 from django.utils.translation import gettext_lazy as _
 
@@ -64,7 +65,7 @@ def format_placeholders_help_text(placeholders, event=None):
     placeholders = [(k, v.render_sample(event) if event else v) for k, v in placeholders.items()]
     placeholders.sort(key=lambda x: x[0])
     phs = [
-        '<button type="button" class="content-placeholder" title="%s">{%s}</button>' % (_("Sample: %s") % v if v else "", k)
+        '<button type="button" class="content-placeholder" title="%s">{%s}</button>' % (escape(_("Sample: %s") % v) if v else "", escape(k))
         for k, v in placeholders
     ]
     return _('Available placeholders: {list}').format(

src/pretix/control/views/event.py

@@ -62,6 +62,7 @@ from django.http import (
 from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from django.utils.functional import cached_property
+from django.utils.html import escape
 from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.timezone import now
 from django.utils.translation import gettext, gettext_lazy as _, gettext_noop
@@ -740,7 +741,7 @@ class MailSettingsPreview(EventPermissionRequiredMixin, View):
             else:
                 ctx[p.identifier] = '<span class="placeholder" title="{}">{}</span>'.format(
                     _('This value will be replaced based on dynamic parameters.'),
-                    s
+                    escape(s)
                 )
         return self.SafeDict(ctx)
 
@@ -781,7 +782,7 @@ class MailSettingsRendererPreview(MailSettingsPreview):
     def placeholders(self, item):
         ctx = {}
         for p in get_available_placeholders(self.request.event, MailSettingsForm.base_context[item]).values():
-            ctx[p.identifier] = str(p.render_sample(self.request.event))
+            ctx[p.identifier] = escape(str(p.render_sample(self.request.event)))
         return ctx
 
     def get(self, request, *args, **kwargs):

src/pretix/control/views/vouchers.py

@@ -50,7 +50,7 @@ from django.http import (
 from django.shortcuts import redirect, render
 from django.urls import resolve, reverse
 from django.utils.functional import cached_property
-from django.utils.html import format_html
+from django.utils.html import format_html, escape
 from django.utils.safestring import mark_safe
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
@@ -562,7 +562,7 @@ class VoucherBulkMailPreview(EventPermissionRequiredMixin, View):
             else:
                 ctx[p.identifier] = '<span class="placeholder" title="{}">{}</span>'.format(
                     _('This value will be replaced based on dynamic parameters.'),
-                    s
+                    escape(s)
                 )
         return self.SafeDict(ctx)
 

src/pretix/plugins/sendmail/views.py

@@ -46,6 +46,7 @@ from django.shortcuts import get_object_or_404, redirect
 from django.template.loader import get_template
 from django.urls import reverse
 from django.utils.functional import cached_property
+from django.utils.html import escape
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _, ngettext
 from django.views.generic import DeleteView, FormView, ListView, TemplateView
@@ -193,7 +194,7 @@ class BaseSenderView(EventPermissionRequiredMixin, FormView):
                     for k, v in get_available_placeholders(self.request.event, self.context_parameters).items():
                         context_dict[k] = '<span class="placeholder" title="{}">{}</span>'.format(
                             _('This value will be replaced based on dynamic parameters.'),
-                            v.render_sample(self.request.event)
+                            escape(v.render_sample(self.request.event))
                         )
 
                     subject = bleach.clean(form.cleaned_data['subject'].localize(l), tags=[])
@@ -608,7 +609,7 @@ class CreateRule(EventPermissionRequiredMixin, CreateView):
                                                                                 'position_or_address']).items():
                         context_dict[k] = '<span class="placeholder" title="{}">{}</span>'.format(
                             _('This value will be replaced based on dynamic parameters.'),
-                            v.render_sample(self.request.event)
+                            escape(v.render_sample(self.request.event))
                         )
 
                     subject = bleach.clean(form.cleaned_data['subject'].localize(l), tags=[])
@@ -684,7 +685,7 @@ class UpdateRule(EventPermissionRequiredMixin, UpdateView):
                 for k, v in get_available_placeholders(self.request.event, ['event', 'order', 'position_or_address']).items():
                     placeholders[k] = '<span class="placeholder" title="{}">{}</span>'.format(
                         _('This value will be replaced based on dynamic parameters.'),
-                        v.render_sample(self.request.event)
+                        escape(v.render_sample(self.request.event))
                     )
 
                 subject = bleach.clean(self.object.subject.localize(lang), tags=[])

src/pretix/presale/templates/pretixpresale/event/base.html

@@ -19,9 +19,6 @@
     {% if social_image %}
         <meta property="og:image" content="{{ social_image }}" />
     {% endif %}
-    {% if event.settings.google_site_verification %}
-        <meta name="google-site-verification" content="{{ event.settings.google_site_verification }}" />
-    {% endif %}
     {{ block.super }}
 {% endblock %}
 {% block above %}
@@ -71,23 +68,15 @@
 {% block page %}
     <div class="page-header{% if event_logo %} pager-header-with-logo{% endif %}{% if event_logo and event_logo_image_large %} logo-large{% endif %}">
         <div class="{% if not event_logo or not event_logo_image_large %}pull-left flip{% endif %}">
-            {% if event_logo and not event_logo_show_title %}
-                <h1 class="sr-only">
-                    {{ event.name }}
-                    {% if request.event.settings.show_dates_on_frontpage and not event.has_subevents %}
-                        <small>{{ event.get_date_range_display_as_html }}</small>
-                    {% endif %}
-                </h1>
-            {% endif %}
             {% if event_logo and event_logo_image_large %}
                 <a href="{% eventurl event "presale:event.index" cart_namespace=cart_namespace|default_if_none:"" %}"
                    aria-label="{% trans 'Homepage' %}" title="{% trans 'Homepage' %}">
-                    <img src="{{ event_logo|thumb:'1170x5000' }}" alt="{{ event.name }}" class="event-logo" />
+                    <img src="{{ event_logo|thumb:'1170x5000' }}" alt="" class="event-logo" />
                 </a>
             {% elif event_logo %}
                 <a href="{% eventurl event "presale:event.index" cart_namespace=cart_namespace|default_if_none:"" %}"
                    aria-label="{% trans 'Homepage' %}" title="{% trans 'Homepage' %}">
-                    <img src="{{ event_logo|thumb:'5000x120' }}" alt="{{ event.name }}" class="event-logo" />
+                    <img src="{{ event_logo|thumb:'5000x120' }}" alt="" class="event-logo" />
                 </a>
             {% else %}
                 <h1>

src/pretix/presale/templates/pretixpresale/organizers/base.html

@@ -12,10 +12,6 @@
         <meta name="robots" content="noindex, nofollow">
     {% endif %}
     <meta property="og:type" content="website" />
-
-    {% if organizer.settings.google_site_verification %}
-        <meta name="google-site-verification" content="{{ organizer.settings.google_site_verification }}" />
-    {% endif %}
     {{ block.super }}
 {% endblock %}
 {% block above %}
@@ -43,11 +39,6 @@
 {% block page %}
     <div class="page-header{% if organizer_logo %} pager-header-with-logo{% endif %}{% if organizer_logo and organizer.settings.organizer_logo_image_large %} logo-large{% endif %}">
         <div class="{% if not organizer_logo or not organizer.settings.organizer_logo_image_large %}pull-left flip{% endif %}">
-            {% if organizer_logo %}
-                <h1 class="sr-only">
-                    {{ organizer.name }}
-                </h1>
-            {% endif %}
             {% if organizer_logo and organizer.settings.organizer_logo_image_large %}
                 <a href="{% eventurl organizer "presale:organizer.index" %}" title="{{ organizer.name }}">
                     <img src="{{ organizer_logo|thumb:'1170x5000' }}" alt="{{ organizer.name }}"