[SECURITY] Fix XSS injection vulnerabilities in question answers, event, quota and product names

2026-05-05 15:14:04 +00:00 · 2017-08-20 15:30:13 +02:00
parent 24e5d337a6
commit 3428ea2f18
7 changed files with 49 additions and 14 deletions
--- a/src/pretix/base/models/log.py
+++ b/src/pretix/base/models/log.py
@@ -5,6 +5,7 @@ from django.contrib.contenttypes.models import ContentType
 from django.db import models
 from django.urls import reverse
 from django.utils.functional import cached_property
+from django.utils.html import escape
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _

 from pretix.base.models.event import SubEvent
@@ -68,7 +69,7 @@ class LogEntry(models.Model):
                    'organizer': self.event.organizer.slug,
                    'code': co.code
                }),
-                'val': co.code,
+                'val': escape(co.code),
            }
        elif isinstance(co, Voucher):
            a_text = _('Voucher {val}…')
@@ -78,7 +79,7 @@ class LogEntry(models.Model):
                    'organizer': self.event.organizer.slug,
                    'voucher': co.id
                }),
-                'val': co.code[:6],
+                'val': escape(co.code[:6]),
            }
        elif isinstance(co, Item):
            a_text = _('Product {val}')
@@ -88,7 +89,7 @@ class LogEntry(models.Model):
                    'organizer': self.event.organizer.slug,
                    'item': co.id
                }),
-                'val': co.name,
+                'val': escape(co.name),
            }
        elif isinstance(co, SubEvent):
            a_text = pgettext_lazy('subevent', 'Date {val}')
@@ -98,7 +99,7 @@ class LogEntry(models.Model):
                    'organizer': self.event.organizer.slug,
                    'subevent': co.id
                }),
-                'val': str(co)
+                'val': escape(str(co))
            }
        elif isinstance(co, Quota):
            a_text = _('Quota {val}')
@@ -108,7 +109,7 @@ class LogEntry(models.Model):
                    'organizer': self.event.organizer.slug,
                    'quota': co.id
                }),
-                'val': co.name,
+                'val': escape(co.name),
            }
        elif isinstance(co, ItemCategory):
            a_text = _('Category {val}')
@@ -118,7 +119,7 @@ class LogEntry(models.Model):
                    'organizer': self.event.organizer.slug,
                    'category': co.id
                }),
-                'val': co.name,
+                'val': escape(co.name),
            }
        elif isinstance(co, Question):
            a_text = _('Question {val}')
@@ -128,7 +129,7 @@ class LogEntry(models.Model):
                    'organizer': self.event.organizer.slug,
                    'question': co.id
                }),
-                'val': co.question,
+                'val': escape(co.question),
            }

        if a_text and a_map: