Mark strings as formatted to prevent double-formatting

2026-05-15 16:54:00 +00:00 · 2026-02-13 10:35:41 +01:00
parent ff351f2856
commit 474ca35616
3 changed files with 30 additions and 8 deletions
--- a/src/pretix/base/models/orders.py
+++ b/src/pretix/base/models/orders.py
@@ -87,7 +87,7 @@ from pretix.base.timemachine import time_machine_now

 from ...helpers import OF_SELF
 from ...helpers.countries import CachedCountries, FastCountryField
-from ...helpers.format import format_map
+from ...helpers.format import FormattedString, format_map
 from ...helpers.names import build_name
 from ...testutils.middleware import debugflags_var
 from ._transactions import (
@@ -1181,7 +1181,8 @@ class Order(LockModel, LoggedModel):

            try:
                email_content = render_mail(template, context)
-                subject = format_map(subject, context)
+                if not isinstance(subject, FormattedString):
+                    subject = format_map(subject, context)
                mail(
                    recipient, subject, template, context,
                    self.event, self.locale, self, headers=headers, sender=sender,
@@ -2926,7 +2927,8 @@ class OrderPosition(AbstractPosition):
            recipient = self.attendee_email
            try:
                email_content = render_mail(template, context)
-                subject = format_map(subject, context)
+                if not isinstance(subject, FormattedString):
+                    subject = format_map(subject, context)
                mail(
                    recipient, subject, template, context,
                    self.event, self.order.locale, order=self.order, headers=headers, sender=sender,
--- a/src/pretix/base/services/mail.py
+++ b/src/pretix/base/services/mail.py
@@ -76,7 +76,7 @@ from pretix.base.services.tasks import TransactionAwareTask
 from pretix.base.services.tickets import get_tickets_for_order
 from pretix.base.signals import email_filter, global_email_filter
 from pretix.celery_app import app
-from pretix.helpers.format import SafeFormatter, format_map
+from pretix.helpers.format import FormattedString, SafeFormatter, format_map
 from pretix.helpers.hierarkey import clean_filename
 from pretix.multidomain.urlreverse import build_absolute_uri
 from pretix.presale.ical import get_private_icals
@@ -200,6 +200,9 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
    if email == INVALID_ADDRESS:
        return

+    if isinstance(template, FormattedString):
+        raise TypeError("Cannot pass an already formatted body template")
+
    if no_order_links and not plain_text_only:
        raise ValueError('If you set no_order_links, you also need to set plain_text_only.')

@@ -223,7 +226,8 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
                })
        renderer = ClassicMailRenderer(None, organizer)
        content_plain = render_mail(template, context, placeholder_mode=None)
-        subject = format_map(subject, context)
+        if not isinstance(subject, FormattedString):
+            subject = format_map(subject, context)
        sender = (
            sender or
            (event.settings.get('mail_from') if event else None) or
@@ -255,7 +259,7 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
        else:
            timezone = ZoneInfo(settings.TIME_ZONE)

-        body_plain = render_mail(template, context, placeholder_mode=SafeFormatter.MODE_RICH_TO_PLAIN)
+        body_plain = format_map(content_plain, context, mode=SafeFormatter.MODE_RICH_TO_PLAIN)
        if settings_holder:
            if settings_holder.settings.mail_bcc:
                for bcc_mail in settings_holder.settings.mail_bcc.split(','):
--- a/src/pretix/helpers/format.py
+++ b/src/pretix/helpers/format.py
@@ -22,6 +22,7 @@
 import logging
 from string import Formatter

+from django.core.exceptions import SuspiciousOperation
 from django.utils.html import conditional_escape

 logger = logging.getLogger(__name__)
@@ -37,6 +38,17 @@ class PlainHtmlAlternativeString:
        return f"PlainHtmlAlternativeString('{self.plain}', '{self.html}')"


+class FormattedString(str):
+    """
+    A str subclass that has been specifically marked as "already formatted" for email rendering
+    purposes to avoid duplicate formatting.
+    """
+    __slots__ = ()
+
+    def __str__(self):
+        return self
+
+
 class SafeFormatter(Formatter):
    """
    Customized version of ``str.format`` that (a) behaves just like ``str.format_map`` and
@@ -78,7 +90,11 @@ class SafeFormatter(Formatter):
        return super().format_field(self._prepare_value(value), '')


-def format_map(template, context, raise_on_missing=False, mode=SafeFormatter.MODE_RICH_TO_PLAIN, linkifier=None):
+def format_map(template, context, raise_on_missing=False, mode=SafeFormatter.MODE_RICH_TO_PLAIN, linkifier=None) -> FormattedString:
+    if isinstance(template, FormattedString):
+        raise SuspiciousOperation("Calling format_map() on an already formatted string is likely unsafe.")
    if not isinstance(template, str):
        template = str(template)
-    return SafeFormatter(context, raise_on_missing, mode=mode, linkifier=linkifier).format(template)
+    return FormattedString(
+        SafeFormatter(context, raise_on_missing, mode=mode, linkifier=linkifier).format(template)
+    )