From ab447bb85f35f517046e81cab6ca4497d33110a2 Mon Sep 17 00:00:00 2001
From: Raphael Michel <michel@pretix.eu>
Date: Tue, 24 Feb 2026 12:48:43 +0100
Subject: [PATCH] Fix HTML injection in error message (Z#23225396) (#5921)

We're not treating it as a security issue as there is no vector to
inject the HTML into other people's browser, only one's own.
---
 src/pretix/control/views/event.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/pretix/control/views/event.py b/src/pretix/control/views/event.py
index bb34ca6356..d09a833181 100644
--- a/src/pretix/control/views/event.py
+++ b/src/pretix/control/views/event.py
@@ -870,11 +870,15 @@ class MailSettingsPreview(EventPermissionRequiredMixin, View):
                                 )
 
                         except ValueError:
-                            msgs[self.supported_locale[idx]] = '<div class="alert alert-danger">{}</div>'.format(
-                                PlaceholderValidator.error_message)
+                            msgs[self.supported_locale[idx]] = format_html(
+                                '<div class="alert alert-danger">{}</div>',
+                                PlaceholderValidator.error_message
+                            )
                         except KeyError as e:
-                            msgs[self.supported_locale[idx]] = '<div class="alert alert-danger">{}</div>'.format(
-                                _('Invalid placeholder: {%(value)s}') % {'value': e.args[0]})
+                            msgs[self.supported_locale[idx]] = format_html(
+                                '<div class="alert alert-danger">{}</div>',
+                                _('Invalid placeholder: {%(value)s}') % {'value': e.args[0]}
+                            )
 
         return JsonResponse({
             'item': preview_item,