Make microdata XSS-safe and subevent-aware

2026-05-05 15:14:04 +00:00 · 2017-07-16 17:52:08 +02:00
parent 9c6090a355
commit 8afff29cd4
4 changed files with 35 additions and 27 deletions
--- a/src/pretix/base/models/event.py
+++ b/src/pretix/base/models/event.py
@@ -22,6 +22,7 @@ from pretix.base.models.base import LoggedModel
 from pretix.base.reldate import RelativeDateWrapper
 from pretix.base.validators import EventSlugBlacklistValidator
 from pretix.helpers.daterange import daterange
+from pretix.helpers.json import safe_string

 from ..settings import settings_hierarkey
 from .organizer import Organizer
@@ -103,6 +104,30 @@ class EventMixin:
            return False
        return True

+    @property
+    def event_microdata(self):
+        import json
+
+        eventdict = {
+            "@context": "http://schema.org",
+            "@type": "Event", "location": {
+                "@type": "Place",
+                "address": str(self.location)
+            },
+            "name": str(self.name)
+        }
+
+        if self.settings.show_times:
+            eventdict["startDate"] = self.date_from.isoformat()
+            if self.settings.show_date_to and self.date_to is not None:
+                eventdict["endDate"] = self.date_to.isoformat()
+        else:
+            eventdict["startDate"] = self.date_from.date().isoformat()
+            if self.settings.show_date_to and self.date_to is not None:
+                eventdict["endDate"] = self.date_to.date().isoformat()
+
+        return safe_string(json.dumps(eventdict))
+

@settings_hierarkey.add(parent_field='organizer', cache_namespace='event')
 class Event(EventMixin, LoggedModel):
@@ -365,26 +390,6 @@ class Event(EventMixin, LoggedModel):
                providers[pp.identifier] = pp
        return providers

-    @property
-    def event_microdata(self):
-        import json
-
-        eventdict = {"@context": "http://schema.org", "@type": "Event"}
-        eventdict["location"] = {"@type": "Place",
-                                 "address": str(self.location)}
-        if self.settings.show_times:
-            eventdict["startDate"] = self.date_from.isoformat()
-            if self.settings.show_date_to and self.date_to is not None:
-                eventdict["endDate"] = self.date_to.isoformat()
-        else:
-            eventdict["startDate"] = self.date_from.date().isoformat()
-            if self.settings.show_date_to and self.date_to is not None:
-                eventdict["endDate"] = self.date_to.date().isoformat()
-
-        eventdict["name"] = str(self.name)
-
-        return json.dumps(eventdict)
-
    def get_invoice_renderers(self) -> dict:
        """
        Returns a dictionary of initialized invoice renderers mapped by their identifiers.