Another attempt at correct sanitization of HTML in invoice content (#2279)

2026-05-03 14:54:04 +00:00 · 2021-11-03 11:13:43 +01:00
parent 0c508c5ba4
commit 60be99fbb2
1 changed files with 8 additions and 2 deletions
--- a/src/pretix/base/invoice.py
+++ b/src/pretix/base/invoice.py
@@ -550,7 +550,10 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
        for line in self.invoice.lines.all():
            if has_taxes:
                tdata.append((
-                    Paragraph(line.description, self.stylesheet['Normal']),
+                    Paragraph(
+                        bleach.clean(line.description, tags=['br']).strip().replace('<br>', '<br/>').replace('\n', '<br />\n'),
+                        self.stylesheet['Normal']
+                    ),
                    "1",
                    localize(line.tax_rate) + " %",
                    money_filter(line.net_value, self.invoice.event.currency),
@@ -558,7 +561,10 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
                ))
            else:
                tdata.append((
-                    Paragraph(line.description, self.stylesheet['Normal']),
+                    Paragraph(
+                        bleach.clean(line.description, tags=['br']).strip().replace('<br>', '<br/>').replace('\n', '<br />\n'),
+                        self.stylesheet['Normal']
+                    ),
                    "1",
                    money_filter(line.gross_value, self.invoice.event.currency),
                ))