[SECURITY] Fix XSS vulnerability in Lightbox caption

2026-05-16 17:03:58 +00:00 · 2017-08-21 12:13:22 +02:00
parent a7ec475c40
commit c38a850294
2 changed files with 7 additions and 4 deletions
--- a/src/pretix/presale/templates/pretixpresale/event/index.html
+++ b/src/pretix/presale/templates/pretixpresale/event/index.html
@@ -132,7 +132,8 @@
                                    <div class="col-md-8 col-xs-12">
                                        {% if item.picture %}
                                            <a href="{{ item.picture.url }}" class="productpicture"
-                                                    data-title="{{ item.name }}"
+                                                    data-title="{{ item.name|force_escape|force_escape }}"
+                                                    {# Yes, double-escape to prevent XSS in lightbox #}
                                                    data-lightbox="{{ item.id }}">
                                                <img src="{{ item.picture|thumbnail_url:'productlist' }}"
                                                        alt="{{ item.name }}"/>
@@ -243,7 +244,7 @@
                                <div class="col-md-8 col-xs-12">
                                    {% if item.picture %}
                                        <a href="{{ item.picture.url }}" class="productpicture"
-                                                data-title="{{ item.name }}"
+                                                data-title="{{ item.name|force_escape|force_escape }}"
                                                data-lightbox="{{ item.id }}">
                                            <img src="{{ item.picture|thumbnail_url:'productlist' }}"
                                                    alt="{{ item.name }}"/>
--- a/src/pretix/presale/templates/pretixpresale/event/voucher.html
+++ b/src/pretix/presale/templates/pretixpresale/event/voucher.html
@@ -29,7 +29,8 @@
                                    <div class="col-md-8 col-xs-12">
                                        {% if item.picture %}
                                            <a href="{{ item.picture.url }}" class="productpicture"
-                                                    data-title="{{ item.name }}"
+                                                    data-title="{{ item.name|force_escape|force_escape }}"
+                                                    {# Yes, double-escape to prevent XSS in lightbox #}
                                                    data-lightbox="{{ item.id }}">
                                                <img src="{{ item.picture|thumbnail_url:'productlist' }}"
                                                        alt="{{ item.name }}"/>
@@ -116,7 +117,8 @@
                                <div class="col-md-8 col-xs-12">
                                    {% if item.picture %}
                                        <a href="{{ item.picture.url }}" class="productpicture"
-                                                data-title="{{ item.name }}"
+                                                data-title="{{ item.name|force_escape|force_escape }}"
+                                                {# Yes, double-escape to prevent XSS in lightbox #}
                                                data-lightbox="{{ item.id }}">
                                            <img src="{{ item.picture|thumbnail_url:'productlist' }}"
                                                    alt="{{ item.name }}"/>