CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-05 15:14:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Escape HTML in placeholder samples in mail preview (#4413)

Browse Source 
CVE-2024-8113
This commit is contained in:
Mira
2024-08-23 14:41:25 +02:00
committed by GitHub
parent a1db13b75e
commit f819f0c316
4 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/pretix/base/forms/widgets.py
View File

@@ -38,6 +38,7 @@ from datetime import datetime
from django import forms
from django.utils.formats import get_format
from django.utils.functional import lazy
from django.utils.html import escape
from django.utils.timezone import get_current_timezone, now
from django.utils.translation import gettext_lazy as _
@@ -64,7 +65,7 @@ def format_placeholders_help_text(placeholders, event=None):
placeholders = [(k, v.render_sample(event) if event else v) for k, v in placeholders.items()]
placeholders.sort(key=lambda x: x[0])
phs = [
'<button type="button" class="content-placeholder" title="%s">{%s}</button>' % (_("Sample: %s") % v if v else "", k)
'<button type="button" class="content-placeholder" title="%s">{%s}</button>' % (escape(_("Sample: %s") % v) if v else "", escape(k))
for k, v in placeholders
]
return _('Available placeholders: {list}').format(