Make str.format_map with untrusted input safer (#2931)

2026-05-07 15:34:02 +00:00 · 2022-12-08 13:49:07 +01:00
parent 11eecd739d
commit b64c5735a8
12 changed files with 89 additions and 42 deletions
--- a/src/pretix/base/payment.py
+++ b/src/pretix/base/payment.py
@@ -68,6 +68,7 @@ from pretix.base.signals import register_payment_providers
 from pretix.base.templatetags.money import money_filter
 from pretix.base.templatetags.rich_text import rich_text
 from pretix.helpers.countries import CachedCountries
+from pretix.helpers.format import format_map
 from pretix.helpers.money import DecimalTextInput
 from pretix.multidomain.urlreverse import build_absolute_uri
 from pretix.presale.views import get_cart, get_cart_total
@@ -1122,12 +1123,12 @@ class ManualPayment(BasePaymentProvider):
        }

    def order_pending_mail_render(self, order, payment) -> str:
-        msg = str(self.settings.get('email_instructions', as_type=LazyI18nString)).format_map(self.format_map(order, payment))
+        msg = format_map(self.settings.get('email_instructions', as_type=LazyI18nString), self.format_map(order, payment))
        return msg

    def payment_pending_render(self, request, payment) -> str:
        return rich_text(
-            str(self.settings.get('pending_description', as_type=LazyI18nString)).format_map(self.format_map(payment.order, payment))
+            format_map(self.settings.get('pending_description', as_type=LazyI18nString), self.format_map(payment.order, payment))
        )