diff --git a/pyproject.toml b/pyproject.toml
index 8e9202bdf9..2efb6c3ad0 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -29,7 +29,7 @@ dependencies = [
"arabic-reshaper==3.0.0", # Support for Arabic in reportlab
"babel",
"BeautifulSoup4==4.12.*",
- "bleach==5.0.*",
+ "bleach==6.2.*",
"celery==5.4.*",
"chardet==5.2.*",
"cryptography>=3.4.2",
diff --git a/src/pretix/base/invoice.py b/src/pretix/base/invoice.py
index 30b1d3207d..30de1433e8 100644
--- a/src/pretix/base/invoice.py
+++ b/src/pretix/base/invoice.py
@@ -289,7 +289,7 @@ class BaseReportlabInvoiceRenderer(BaseInvoiceRenderer):
def _clean_text(self, text, tags=None):
return self._normalize(bleach.clean(
text,
- tags=tags or []
+ tags=set(tags) if tags else set()
).strip().replace('
', '
').replace('\n', '
\n'))
@@ -461,7 +461,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
def _draw_event(self, canvas):
def shorten(txt):
txt = str(txt)
- txt = bleach.clean(txt, tags=[]).strip()
+ txt = bleach.clean(txt, tags=set()).strip()
p = Paragraph(self._normalize(txt.strip().replace('\n', '
\n')), style=self.stylesheet['Normal'])
p_size = p.wrap(self.event_width, self.event_height)
diff --git a/src/pretix/base/settings.py b/src/pretix/base/settings.py
index c16e6b6e06..26d6824cbc 100644
--- a/src/pretix/base/settings.py
+++ b/src/pretix/base/settings.py
@@ -550,7 +550,7 @@ DEFAULTS = {
'serializer_class': serializers.BooleanField,
'type': bool,
'form_kwargs': dict(
- label=_("Require a business addresses"),
+ label=_("Require a business address"),
help_text=_('This will require users to enter a company name.'),
widget=forms.CheckboxInput(attrs={'data-checkbox-dependency': '#id_invoice_address_required'}),
)
diff --git a/src/pretix/base/templatetags/rich_text.py b/src/pretix/base/templatetags/rich_text.py
index d2324ef07f..1fe053abca 100644
--- a/src/pretix/base/templatetags/rich_text.py
+++ b/src/pretix/base/templatetags/rich_text.py
@@ -54,7 +54,7 @@ from tlds import tld_set
register = template.Library()
-ALLOWED_TAGS_SNIPPET = [
+ALLOWED_TAGS_SNIPPET = {
'a',
'abbr',
'acronym',
@@ -68,8 +68,8 @@ ALLOWED_TAGS_SNIPPET = [
'strike',
's',
# Update doc/user/markdown.rst if you change this!
-]
-ALLOWED_TAGS = ALLOWED_TAGS_SNIPPET + [
+}
+ALLOWED_TAGS = ALLOWED_TAGS_SNIPPET | {
'blockquote',
'li',
'ol',
@@ -91,7 +91,7 @@ ALLOWED_TAGS = ALLOWED_TAGS_SNIPPET + [
'h6',
'pre',
# Update doc/user/markdown.rst if you change this!
-]
+}
ALLOWED_ATTRIBUTES = {
'a': ['href', 'title', 'class'],
@@ -106,7 +106,7 @@ ALLOWED_ATTRIBUTES = {
# Update doc/user/markdown.rst if you change this!
}
-ALLOWED_PROTOCOLS = ['http', 'https', 'mailto', 'tel']
+ALLOWED_PROTOCOLS = {'http', 'https', 'mailto', 'tel'}
URL_RE = SimpleLazyObject(lambda: build_url_re(tlds=sorted(tld_set, key=len, reverse=True)))
@@ -211,9 +211,9 @@ class CleanPostprocessor(Postprocessor):
def run(self, text):
return bleach.clean(
text,
- tags=self.tags,
+ tags=set(self.tags),
attributes=self.attributes,
- protocols=self.protocols,
+ protocols=set(self.protocols),
strip=self.strip
)
@@ -308,7 +308,7 @@ def markdown_compile_email(source, allowed_tags=ALLOWED_TAGS, allowed_attributes
EmailNl2BrExtension(),
LinkifyAndCleanExtension(
linker,
- tags=allowed_tags,
+ tags=set(allowed_tags),
attributes=allowed_attributes,
protocols=ALLOWED_PROTOCOLS,
strip=False,
diff --git a/src/pretix/control/logdisplay.py b/src/pretix/control/logdisplay.py
index d4cc6eecd9..c4176ead45 100644
--- a/src/pretix/control/logdisplay.py
+++ b/src/pretix/control/logdisplay.py
@@ -613,7 +613,7 @@ def pretixcontrol_logentry_display(sender: Event, logentry: LogEntry, **kwargs):
if logentry.action_type == 'pretix.event.order.consent':
return _('The user confirmed the following message: "{}"').format(
- bleach.clean(logentry.parsed_data.get('msg'), tags=[], strip=True)
+ bleach.clean(logentry.parsed_data.get('msg'), tags=set(), strip=True)
)
if logentry.action_type == 'pretix.event.order.canceled':
diff --git a/src/pretix/plugins/checkinlists/exporters.py b/src/pretix/plugins/checkinlists/exporters.py
index f7749f6325..f42ef7eb2b 100644
--- a/src/pretix/plugins/checkinlists/exporters.py
+++ b/src/pretix/plugins/checkinlists/exporters.py
@@ -421,7 +421,7 @@ class PDFCheckinList(ReportlabExportMixin, CheckInListMixin, BaseExporter):
)
if op.seat:
item += '
' + str(op.seat)
- name = bleach.clean(str(name), tags=['br']).strip().replace('
', '
')
+ name = bleach.clean(str(name), tags={'br'}).strip().replace('
', '
')
if op.blocked:
name = '[' + _('Blocked') + '] ' + name
row = [
@@ -430,7 +430,7 @@ class PDFCheckinList(ReportlabExportMixin, CheckInListMixin, BaseExporter):
'✘' if op.order.status != Order.STATUS_PAID else '✔',
op.order.code,
Paragraph(name, self.get_style()),
- Paragraph(bleach.clean(str(item), tags=['br']).strip().replace('
', '
'), self.get_style()),
+ Paragraph(bleach.clean(str(item), tags={'br'}).strip().replace('
', '
'), self.get_style()),
]
acache = {}
if op.addon_to:
@@ -440,7 +440,7 @@ class PDFCheckinList(ReportlabExportMixin, CheckInListMixin, BaseExporter):
acache[a.question_id] = format_answer_for_export(a)
for q in questions:
txt = acache.get(q.pk, '')
- txt = bleach.clean(txt, tags=['br']).strip().replace('
', '
')
+ txt = bleach.clean(txt, tags={'br'}).strip().replace('
', '
')
p = Paragraph(txt, self.get_style())
while p.wrap(colwidths[len(row)], 5000)[1] > 50 * mm:
txt = txt[:len(txt) - 50] + "..."
diff --git a/src/pretix/plugins/sendmail/views.py b/src/pretix/plugins/sendmail/views.py
index be5c18c688..c3d85c2c6d 100644
--- a/src/pretix/plugins/sendmail/views.py
+++ b/src/pretix/plugins/sendmail/views.py
@@ -198,7 +198,7 @@ class BaseSenderView(EventPermissionRequiredMixin, FormView):
escape(v.render_sample(self.request.event))
)
- subject = bleach.clean(form.cleaned_data['subject'].localize(l), tags=[])
+ subject = bleach.clean(form.cleaned_data['subject'].localize(l), tags=set())
preview_subject = prefix_subject(self.request.event, format_map(subject, context_dict), highlight=True)
message = form.cleaned_data['message'].localize(l)
preview_text = markdown_compile_email(format_map(message, context_dict))
@@ -616,7 +616,7 @@ class CreateRule(EventPermissionRequiredMixin, CreateView):
escape(v.render_sample(self.request.event))
)
- subject = bleach.clean(form.cleaned_data['subject'].localize(l), tags=[])
+ subject = bleach.clean(form.cleaned_data['subject'].localize(l), tags=set())
preview_subject = prefix_subject(self.request.event, format_map(subject, context_dict), highlight=True)
template = form.cleaned_data['template'].localize(l)
preview_text = markdown_compile_email(format_map(template, context_dict))
@@ -692,7 +692,7 @@ class UpdateRule(EventPermissionRequiredMixin, UpdateView):
escape(v.render_sample(self.request.event))
)
- subject = bleach.clean(self.object.subject.localize(lang), tags=[])
+ subject = bleach.clean(self.object.subject.localize(lang), tags=set())
preview_subject = prefix_subject(self.request.event, format_map(subject, placeholders), highlight=True)
template = self.object.template.localize(lang)
preview_text = markdown_compile_email(format_map(template, placeholders))
diff --git a/src/tests/base/test_rich_text.py b/src/tests/base/test_rich_text.py
index 6a952ad2e6..cfec1df683 100644
--- a/src/tests/base/test_rich_text.py
+++ b/src/tests/base/test_rich_text.py
@@ -137,7 +137,7 @@ def test_markdown_email_custom_allowlist():
source = ""
html = markdown_compile_email(
source,
- allowed_tags=ALLOWED_TAGS + ["img"],
+ allowed_tags=ALLOWED_TAGS | {"img"},
allowed_attributes=dict(ALLOWED_ATTRIBUTES, img=["src", "alt", "title"]),
)
assert html == '
'