[SECURITY] Fix XSS injection vulnerabilities in question answers, event, quota and product names

2026-05-05 15:14:04 +00:00 · 2017-08-20 15:30:13 +02:00
parent 24e5d337a6
commit 3428ea2f18
7 changed files with 49 additions and 14 deletions
--- a/src/pretix/plugins/statistics/templates/pretixplugins/statistics/index.html
+++ b/src/pretix/plugins/statistics/templates/pretixplugins/statistics/index.html
@@ -2,6 +2,7 @@
 {% load i18n %}
 {% load compress %}
 {% load staticfiles %}
+{% load escapejson %}
 {% block title %}{% trans "Statistics" %}{% endblock %}
 {% block content %}
    <h1>{% trans "Statistics" %}</h1>
@@ -30,9 +31,9 @@
                <div id="obp_chart" class="chart"></div>
            </div>
        </div>
-        <script type="application/json" id="obd-data">{{ obd_data|safe }}</script>
-        <script type="application/json" id="rev-data">{{ rev_data|safe }}</script>
-        <script type="application/json" id="obp-data">{{ obp_data|safe }}</script>
+        <script type="application/json" id="obd-data">{{ obd_data|escapejson }}</script>
+        <script type="application/json" id="rev-data">{{ rev_data|escapejson }}</script>
+        <script type="application/json" id="obp-data">{{ obp_data|escapejson }}</script>
        <script type="application/text" id="currency">{{ request.event.currency }}</script>
        <script type="application/javascript" src="{% static "pretixplugins/statistics/statistics.js" %}"></script>
    {% else %}