PDF renderer: Properly escape HTML answer fields (#1473)

2026-05-10 16:04:02 +00:00 · 2019-10-29 17:58:10 +01:00
parent 9ed49fb379
commit f473439f77
1 changed files with 1 additions and 1 deletions
--- a/src/pretix/base/pdf.py
+++ b/src/pretix/base/pdf.py
@@ -288,7 +288,7 @@ def variables_from_questions(sender, *args, **kwargs):
        if not a:
            return ""
        else:
-            return str(a).replace("\n", "<br/>\n")
+            return escape(str(a)).replace("\n", "<br/>\n")
    d = {}
    for q in sender.questions.all():