From f473439f773d14ac5b503dd7432a9f556495740f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sch=C3=A4fer?= <felix@thegcat.net>
Date: Tue, 29 Oct 2019 17:58:10 +0100
Subject: [PATCH] PDF renderer: Properly escape HTML answer fields (#1473)

---
 src/pretix/base/pdf.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pretix/base/pdf.py b/src/pretix/base/pdf.py
index 7afc69de9e..9065297d45 100644
--- a/src/pretix/base/pdf.py
+++ b/src/pretix/base/pdf.py
@@ -288,7 +288,7 @@ def variables_from_questions(sender, *args, **kwargs):
         if not a:
             return ""
         else:
-            return str(a).replace("\n", "<br/>\n")
+            return escape(str(a)).replace("\n", "<br/>\n")
 
     d = {}
     for q in sender.questions.all():