From f179a220bcc0ff156ee7fa4f474a2e28acb80834 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Thu, 16 Jul 2020 08:42:40 +0200
Subject: [PATCH] Widget: Properly escape voucher codes

---
 src/pretix/static/pretixpresale/js/widget/widget.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/pretix/static/pretixpresale/js/widget/widget.js b/src/pretix/static/pretixpresale/js/widget/widget.js
index 2f1d2d1348..7aa099024e 100644
--- a/src/pretix/static/pretixpresale/js/widget/widget.js
+++ b/src/pretix/static/pretixpresale/js/widget/widget.js
@@ -580,7 +580,7 @@ var shared_methods = {
         } else {
             return;
         }
-        var redirect_url = this.$root.voucherFormTarget + '&voucher=' + this.voucher + '&subevent=' + this.$root.subevent;
+        var redirect_url = this.$root.voucherFormTarget + '&voucher=' + escape(this.voucher) + '&subevent=' + this.$root.subevent;
         if (this.$root.widget_data) {
             redirect_url += '&widget_data=' + escape(this.$root.widget_data_json);
         }
@@ -590,7 +590,7 @@ var shared_methods = {
     },
     voucher_open: function (voucher) {
         var redirect_url;
-        redirect_url = this.$root.voucherFormTarget + '&voucher=' + voucher;
+        redirect_url = this.$root.voucherFormTarget + '&voucher=' + escape(voucher);
         if (this.$root.widget_data) {
             redirect_url += '&widget_data=' + escape(this.$root.widget_data_json);
         }