Markdown: fix double escaping URLs in safelink

* Markdown: fix double escaping URLs in safelink * add tests * fix isort
2026-05-06 15:24:02 +00:00 · 2026-01-29 12:14:12 +01:00
parent 4f521022f5
commit 1e2900ad2a
2 changed files with 43 additions and 1 deletions
--- a/src/pretix/base/templatetags/rich_text.py
+++ b/src/pretix/base/templatetags/rich_text.py
@@ -156,7 +156,7 @@ def safelink_callback(attrs, new=False):
    Makes sure that all links to a different domain are passed through a redirection handler
    to ensure there's no passing of referers with secrets inside them.
    """
-    url = attrs.get((None, 'href'), '/')
+    url = html.unescape(attrs.get((None, 'href'), '/'))
    if not url_has_allowed_host_and_scheme(url, allowed_hosts=None) and not url.startswith('mailto:') and not url.startswith('tel:'):
        signer = signing.Signer(salt='safe-redirect')
        attrs[None, 'href'] = reverse('redirect') + '?url=' + urllib.parse.quote(signer.sign(url))