From b03daab452b5a51faf10f24b94de501217748463 Mon Sep 17 00:00:00 2001
From: Raphael Michel <michel@rami.io>
Date: Tue, 25 Jan 2022 12:58:06 +0100
Subject: [PATCH] [SECURITY] Fix (non-exploitable) XSS issue

---
 .../pretixcontrol/checkin/checkins.html          |  6 +++---
 .../pretixcontrol/fragment_quota_box.html        |  2 +-
 .../pretixcontrol/fragment_quota_box_paid.html   |  2 +-
 .../templates/pretixcontrol/order/index.html     | 12 ++++++------
 .../stripe/checkout_payment_form_cc.html         |  2 +-
 src/pretix/static/pretixcontrol/js/ui/main.js    | 16 +++++++++++++++-
 6 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/src/pretix/control/templates/pretixcontrol/checkin/checkins.html b/src/pretix/control/templates/pretixcontrol/checkin/checkins.html
index 3b87cf2d9c..40589b141f 100644
--- a/src/pretix/control/templates/pretixcontrol/checkin/checkins.html
+++ b/src/pretix/control/templates/pretixcontrol/checkin/checkins.html
@@ -74,17 +74,17 @@
                             {{ c.datetime|date:"SHORT_DATETIME_FORMAT" }}
                             {% if c.type == "exit" %}
                                 {% if c.auto_checked_in %}
-                                    <span class="fa fa-fw fa-hourglass-end" data-toggle="tooltip_html"
+                                    <span class="fa fa-fw fa-hourglass-end" data-toggle="tooltip"
                                           title="{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Automatically marked not present: {{ date }}{% endblocktrans %}"></span>
                                 {% endif %}
                             {% elif c.forced and c.successful %}
-                                <span class="fa fa-fw fa-warning" data-toggle="tooltip_html"
+                                <span class="fa fa-fw fa-warning" data-toggle="tooltip"
                                       title="{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Additional entry scan: {{ date }}{% endblocktrans %}"></span>
                             {% elif c.forced and not c.successful %}
                                 <br>
                                 <small class="text-muted">{% trans "Failed in offline mode" %}</small>
                             {% elif c.auto_checked_in %}
-                                <span class="fa fa-fw fa-magic" data-toggle="tooltip_html"
+                                <span class="fa fa-fw fa-magic" data-toggle="tooltip"
                                       title="{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Automatically checked in: {{ date }}{% endblocktrans %}"></span>
                             {% endif %}
                         </td>
diff --git a/src/pretix/control/templates/pretixcontrol/fragment_quota_box.html b/src/pretix/control/templates/pretixcontrol/fragment_quota_box.html
index 0d7ddf490d..82b1a16f1f 100644
--- a/src/pretix/control/templates/pretixcontrol/fragment_quota_box.html
+++ b/src/pretix/control/templates/pretixcontrol/fragment_quota_box.html
@@ -1,6 +1,6 @@
 {% load i18n %}
 <div class="quotabox availability" data-toggle="tooltip_html" data-placement="top"
-        title="{% trans "Quota:" %} {{ q.name }}<br>{% blocktrans with date=q.cached_availability_time|date:"SHORT_DATETIME_FORMAT" %}Numbers as of {{ date }}{% endblocktrans %}">
+        title="{% trans "Quota:" %} {{ q.name|force_escape|force_escape }}<br>{% blocktrans with date=q.cached_availability_time|date:"SHORT_DATETIME_FORMAT" %}Numbers as of {{ date }}{% endblocktrans %}">
     {% if q.size|default_if_none:"NONE" == "NONE" %}
         <div class="progress">
             <div class="progress-bar progress-bar-success progress-bar-100">
diff --git a/src/pretix/control/templates/pretixcontrol/fragment_quota_box_paid.html b/src/pretix/control/templates/pretixcontrol/fragment_quota_box_paid.html
index 19b80e9e42..1878965a56 100644
--- a/src/pretix/control/templates/pretixcontrol/fragment_quota_box_paid.html
+++ b/src/pretix/control/templates/pretixcontrol/fragment_quota_box_paid.html
@@ -1,6 +1,6 @@
 {% load i18n %}
 <a class="quotabox" data-toggle="tooltip_html" data-placement="top"
-        title="{% trans "Quota:" %} {{ q.name }}{% if q.cached_avail.1 is not None %}<br>{% blocktrans with num=q.cached_avail.1 %}Currently available: {{ num }}{% endblocktrans %}{% endif %}"
+        title="{% trans "Quota:" %} {{ q.name|force_escape|force_escape }}{% if q.cached_avail.1 is not None %}<br>{% blocktrans with num=q.cached_avail.1 %}Currently available: {{ num }}{% endblocktrans %}{% endif %}"
     href="{% url "control:event.items.quotas.show" event=q.event.slug organizer=q.event.organizer.slug quota=q.pk %}">
     {% if q.size|default_if_none:"NONE" == "NONE" %}
         <div class="progress">
diff --git a/src/pretix/control/templates/pretixcontrol/order/index.html b/src/pretix/control/templates/pretixcontrol/order/index.html
index 10de1ad2b5..eb0daa0ddc 100644
--- a/src/pretix/control/templates/pretixcontrol/order/index.html
+++ b/src/pretix/control/templates/pretixcontrol/order/index.html
@@ -360,19 +360,19 @@
                                 {% if line.checkins.all %}
                                     {% for c in line.all_checkins.all %}
                                         {% if not c.successful %}
-                                            <span class="fa fa-fw fa-exclamation-circle text-danger" data-toggle="tooltip_html" title="{{ c.list.name }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Denied scan: {{ date }}{% endblocktrans %}<br>{{ c.get_error_reason_display }}{% if c.gate %}<br>{{ c.gate }}{% endif %}"></span>
+                                            <span class="fa fa-fw fa-exclamation-circle text-danger" data-toggle="tooltip_html" title="{{ c.list.name|force_escape|force_escape }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Denied scan: {{ date }}{% endblocktrans %}<br>{{ c.get_error_reason_display }}{% if c.gate %}<br>{{ c.gate }}{% endif %}"></span>
                                         {% elif c.type == "exit" %}
                                             {% if c.auto_checked_in %}
-                                                <span class="fa fa-fw text-success fa-hourglass-end" data-toggle="tooltip_html" title="{{ c.list.name }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Automatically marked not present: {{ date }}{% endblocktrans %}"></span>
+                                                <span class="fa fa-fw text-success fa-hourglass-end" data-toggle="tooltip_html" title="{{ c.list.name|force_escape|force_escape }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Automatically marked not present: {{ date }}{% endblocktrans %}"></span>
                                             {% else %}
-                                                <span class="fa fa-fw text-success fa-sign-out" data-toggle="tooltip_html" title="{{ c.list.name }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Exit scan: {{ date }}{% endblocktrans %}{% if c.gate %}<br>{{ c.gate }}{% endif %}"></span>
+                                                <span class="fa fa-fw text-success fa-sign-out" data-toggle="tooltip_html" title="{{ c.list.name|force_escape|force_escape }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Exit scan: {{ date }}{% endblocktrans %}{% if c.gate %}<br>{{ c.gate }}{% endif %}"></span>
                                             {% endif %}
                                         {% elif c.forced %}
-                                            <span class="fa fa-fw fa-warning text-warning" data-toggle="tooltip_html" title="{{ c.list.name }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Additional entry scan: {{ date }}{% endblocktrans %}{% if c.gate %}<br>{{ c.gate }}{% endif %}"></span>
+                                            <span class="fa fa-fw fa-warning text-warning" data-toggle="tooltip_html" title="{{ c.list.name|force_escape|force_escape }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Additional entry scan: {{ date }}{% endblocktrans %}{% if c.gate %}<br>{{ c.gate }}{% endif %}"></span>
                                         {% elif c.auto_checked_in %}
-                                            <span class="fa fa-fw fa-magic text-success" data-toggle="tooltip_html" title="{{ c.list.name }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Automatically checked in: {{ date }}{% endblocktrans %}{% if c.gate %}<br>{{ c.gate }}{% endif %}"></span>
+                                            <span class="fa fa-fw fa-magic text-success" data-toggle="tooltip_html" title="{{ c.list.name|force_escape|force_escape }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Automatically checked in: {{ date }}{% endblocktrans %}{% if c.gate %}<br>{{ c.gate }}{% endif %}"></span>
                                         {% else %}
-                                            <span class="fa fa-fw fa-check text-success" data-toggle="tooltip_html" title="{{ c.list.name }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Entry scan: {{ date }}{% endblocktrans %}{% if c.gate %}<br>{{ c.gate }}{% endif %}"></span>
+                                            <span class="fa fa-fw fa-check text-success" data-toggle="tooltip_html" title="{{ c.list.name|force_escape|force_escape }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Entry scan: {{ date }}{% endblocktrans %}{% if c.gate %}<br>{{ c.gate }}{% endif %}"></span>
                                         {% endif %}
                                     {% endfor %}
                                 {% endif %}
diff --git a/src/pretix/plugins/stripe/templates/pretixplugins/stripe/checkout_payment_form_cc.html b/src/pretix/plugins/stripe/templates/pretixplugins/stripe/checkout_payment_form_cc.html
index c9b2799aa0..a0a5cc8365 100644
--- a/src/pretix/plugins/stripe/templates/pretixplugins/stripe/checkout_payment_form_cc.html
+++ b/src/pretix/plugins/stripe/templates/pretixplugins/stripe/checkout_payment_form_cc.html
@@ -3,7 +3,7 @@
 <div class="form-horizontal stripe-container">
     {% if is_moto %}
         <h1>
-            <span class="label label-info pull-right flip" data-toggle="tooltip_html" title="{% trans "This transaction will be marked as Mail Order/Telephone Order, exempting it from Strong Customer Authentication (SCA) whenever possible" %}">MOTO</span>
+            <span class="label label-info pull-right flip" data-toggle="tooltip" title="{% trans "This transaction will be marked as Mail Order/Telephone Order, exempting it from Strong Customer Authentication (SCA) whenever possible" %}">MOTO</span>
         </h1>
         <div class="clearfix"></div>
     {% endif %}
diff --git a/src/pretix/static/pretixcontrol/js/ui/main.js b/src/pretix/static/pretixcontrol/js/ui/main.js
index fed379cfd3..11c49a3974 100644
--- a/src/pretix/static/pretixcontrol/js/ui/main.js
+++ b/src/pretix/static/pretixcontrol/js/ui/main.js
@@ -675,7 +675,21 @@ $(function () {
 
     $('[data-toggle="tooltip"]').tooltip();
     $('[data-toggle="tooltip_html"]').tooltip({
-        'html': true
+        'html': true,
+        'whiteList': {
+            // Global attributes allowed on any supplied element below.
+            '*': ['class', 'dir', 'id', 'lang', 'role'],
+            b: [],
+            br: [],
+            code: [],
+            div: [],  // required for template
+            h3: ['class', 'role'],  // required for template
+            i: [],
+            small: [],
+            span: [],
+            strong: [],
+            u: [],
+        }
     });
 
     var url = document.location.toString();