From 60be99fbb285c9f33ae2d9c4fe36a106422cca8e Mon Sep 17 00:00:00 2001
From: Raphael Michel <michel@rami.io>
Date: Wed, 3 Nov 2021 11:13:43 +0100
Subject: [PATCH] Another attempt at correct sanitization of HTML in invoice
 content (#2279)

---
 src/pretix/base/invoice.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/pretix/base/invoice.py b/src/pretix/base/invoice.py
index abc2c75644..9c00f00ebb 100644
--- a/src/pretix/base/invoice.py
+++ b/src/pretix/base/invoice.py
@@ -550,7 +550,10 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
         for line in self.invoice.lines.all():
             if has_taxes:
                 tdata.append((
-                    Paragraph(line.description, self.stylesheet['Normal']),
+                    Paragraph(
+                        bleach.clean(line.description, tags=['br']).strip().replace('<br>', '<br/>').replace('\n', '<br />\n'),
+                        self.stylesheet['Normal']
+                    ),
                     "1",
                     localize(line.tax_rate) + " %",
                     money_filter(line.net_value, self.invoice.event.currency),
@@ -558,7 +561,10 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
                 ))
             else:
                 tdata.append((
-                    Paragraph(line.description, self.stylesheet['Normal']),
+                    Paragraph(
+                        bleach.clean(line.description, tags=['br']).strip().replace('<br>', '<br/>').replace('\n', '<br />\n'),
+                        self.stylesheet['Normal']
+                    ),
                     "1",
                     money_filter(line.gross_value, self.invoice.event.currency),
                 ))