From affc6254a8316643d4afe9e8b7f8cd288c86ca1f Mon Sep 17 00:00:00 2001 From: Raphael Michel Date: Tue, 12 Mar 2019 09:20:48 +0100 Subject: [PATCH] Fix potential XSS in questions [not a vulnerability, thanks to CSP] --- src/pretix/base/forms/questions.py | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/src/pretix/base/forms/questions.py b/src/pretix/base/forms/questions.py index 5023f61d25..d8b3ef4c2c 100644 --- a/src/pretix/base/forms/questions.py +++ b/src/pretix/base/forms/questions.py @@ -9,6 +9,7 @@ import vat_moss.id from django import forms from django.contrib import messages from django.core.exceptions import ValidationError +from django.utils.html import escape from django.utils.safestring import mark_safe from django.utils.translation import ugettext_lazy as _ @@ -171,6 +172,7 @@ class BaseQuestionsForm(forms.Form): initial = None tz = pytz.timezone(event.settings.timezone) help_text = rich_text(q.help_text) + label = escape(q.question) # django-bootstrap3 calls mark_safe if q.type == Question.TYPE_BOOLEAN: if q.required: # For some reason, django-bootstrap3 does not set the required attribute @@ -185,26 +187,26 @@ class BaseQuestionsForm(forms.Form): initialbool = False field = forms.BooleanField( - label=q.question, required=q.required, + label=label, required=q.required, help_text=help_text, initial=initialbool, widget=widget, ) elif q.type == Question.TYPE_NUMBER: field = forms.DecimalField( - label=q.question, required=q.required, + label=label, required=q.required, help_text=q.help_text, initial=initial.answer if initial else None, min_value=Decimal('0.00'), ) elif q.type == Question.TYPE_STRING: field = forms.CharField( - label=q.question, required=q.required, + label=label, required=q.required, help_text=help_text, initial=initial.answer if initial else None, ) elif q.type == Question.TYPE_TEXT: field = forms.CharField( - label=q.question, required=q.required, + label=label, required=q.required, help_text=help_text, widget=forms.Textarea, initial=initial.answer if initial else None, @@ -212,7 +214,7 @@ class BaseQuestionsForm(forms.Form): elif q.type == Question.TYPE_CHOICE: field = forms.ModelChoiceField( queryset=q.options, - label=q.question, required=q.required, + label=label, required=q.required, help_text=help_text, widget=forms.Select, empty_label='', @@ -221,35 +223,35 @@ class BaseQuestionsForm(forms.Form): elif q.type == Question.TYPE_CHOICE_MULTIPLE: field = forms.ModelMultipleChoiceField( queryset=q.options, - label=q.question, required=q.required, + label=label, required=q.required, help_text=help_text, widget=forms.CheckboxSelectMultiple, initial=initial.options.all() if initial else None, ) elif q.type == Question.TYPE_FILE: field = forms.FileField( - label=q.question, required=q.required, + label=label, required=q.required, help_text=help_text, initial=initial.file if initial else None, widget=UploadedFileWidget(position=pos, event=event, answer=initial), ) elif q.type == Question.TYPE_DATE: field = forms.DateField( - label=q.question, required=q.required, + label=label, required=q.required, help_text=help_text, initial=dateutil.parser.parse(initial.answer).date() if initial and initial.answer else None, widget=DatePickerWidget(), ) elif q.type == Question.TYPE_TIME: field = forms.TimeField( - label=q.question, required=q.required, + label=label, required=q.required, help_text=help_text, initial=dateutil.parser.parse(initial.answer).time() if initial and initial.answer else None, widget=TimePickerWidget(time_format=get_format_without_seconds('TIME_INPUT_FORMATS')), ) elif q.type == Question.TYPE_DATETIME: field = SplitDateTimeField( - label=q.question, required=q.required, + label=label, required=q.required, help_text=help_text, initial=dateutil.parser.parse(initial.answer).astimezone(tz) if initial and initial.answer else None, widget=SplitDateTimePickerWidget(time_format=get_format_without_seconds('TIME_INPUT_FORMATS')),