PPv2: Handle payment execution/capture calls properly even if no captures are present yet.

Stripe: isort
Stripe: Add Wero as a hidden payment method (private beta; requires MoR)
2026-02-20 09:02:27 +00:00 · 2026-02-19 17:45:52 +01:00 · 2026-02-19 14:43:27 +01:00 · 2026-02-19 14:40:01 +01:00 · 2026-02-19 12:43:23 +01:00 · 2026-02-19 10:00:11 +01:00
45 changed files with 33545 additions and 211 deletions
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -92,7 +92,7 @@ dependencies = [
  "redis==7.1.*",
  "reportlab==4.4.*",
  "requests==2.32.*",
-  "sentry-sdk==2.52.*",
+  "sentry-sdk==2.53.*",
  "sepaxml==2.7.*",
  "stripe==7.9.*",
  "text-unidecode==1.*",
@@ -110,7 +110,7 @@ dev = [
  "aiohttp==3.13.*",
  "coverage",
  "coveralls",
-  "fakeredis==2.33.*",
+  "fakeredis==2.34.*",
  "flake8==7.3.*",
  "freezegun",
  "isort==7.0.*",
--- a/src/pretix/api/views/checkin.py
+++ b/src/pretix/api/views/checkin.py
@@ -188,11 +188,15 @@ class CheckinListViewSet(viewsets.ModelViewSet):
        clist = self.get_object()
        if serializer.validated_data.get('nonce'):
            if kwargs.get('position'):
-                prev = kwargs['position'].all_checkins.filter(nonce=serializer.validated_data['nonce']).first()
+                prev = kwargs['position'].all_checkins.filter(
+                    nonce=serializer.validated_data['nonce'],
+                    successful=False
+                ).first()
            else:
                prev = clist.checkins.filter(
                    nonce=serializer.validated_data['nonce'],
                    raw_barcode=serializer.validated_data['raw_barcode'],
+                    successful=False
                ).first()
            if prev:
                # Ignore because nonce is already handled
--- a/src/pretix/api/views/organizer.py
+++ b/src/pretix/api/views/organizer.py
@@ -259,7 +259,14 @@ class GiftCardViewSet(viewsets.ModelViewSet):
            action='pretix.giftcards.transaction.manual',
            user=self.request.user,
            auth=self.request.auth,
-            data=merge_dicts(self.request.data, {'id': inst.pk, 'acceptor_id': self.request.organizer.id})
+            data=merge_dicts(
+                self.request.data,
+                {
+                    'id': inst.pk,
+                    'acceptor_id': self.request.organizer.id,
+                    'acceptor_slug': self.request.organizer.slug
+                }
+            )
        )

    @transaction.atomic()
@@ -290,7 +297,11 @@ class GiftCardViewSet(viewsets.ModelViewSet):
                action='pretix.giftcards.transaction.manual',
                user=self.request.user,
                auth=self.request.auth,
-                data={'value': diff, 'acceptor_id': self.request.organizer.id}
+                data={
+                    'value': diff,
+                    'acceptor_id': self.request.organizer.id,
+                    'acceptor_slug': self.request.organizer.slug
+                }
            )

        return inst
@@ -320,7 +331,8 @@ class GiftCardViewSet(viewsets.ModelViewSet):
            data={
                'value': value,
                'text': text,
-                'acceptor_id': self.request.organizer.id
+                'acceptor_id': self.request.organizer.id,
+                'acceptor_slug': self.request.organizer.slug
            }
        )
        return Response(GiftCardSerializer(gc, context=self.get_serializer_context()).data, status=status.HTTP_200_OK)
--- a/src/pretix/api/webhooks.py
+++ b/src/pretix/api/webhooks.py
@@ -198,6 +198,7 @@ class ParametrizedGiftcardTransactionWebhookEvent(ParametrizedWebhookEvent):
            'notification_id': logentry.pk,
            'issuer_id': logentry.organizer_id,
            'acceptor_id': logentry.parsed_data.get('acceptor_id'),
+            'acceptor_slug': logentry.parsed_data.get('acceptor_slug'),
            'giftcard': giftcard.pk,
            'action': logentry.action_type,
        }
--- a/src/pretix/base/email.py
+++ b/src/pretix/base/email.py
@@ -39,7 +39,7 @@ from pretix.base.templatetags.rich_text import (
    DEFAULT_CALLBACKS, EMAIL_RE, URL_RE, abslink_callback,
    markdown_compile_email, truelink_callback,
 )
-from pretix.helpers.format import SafeFormatter, format_map
+from pretix.helpers.format import FormattedString, SafeFormatter, format_map

 from pretix.base.services.placeholders import (  # noqa
    get_available_placeholders, PlaceholderContext
@@ -141,6 +141,7 @@ class TemplateBasedMailRenderer(BaseHTMLMailRenderer):
        return markdown_compile_email(plaintext, context=context)

    def render(self, plain_body: str, plain_signature: str, subject: str, order, position, context) -> str:
+        apply_format_map = not isinstance(plain_body, FormattedString)
        body_md = self.compile_markdown(plain_body, context)
        if context:
            linker = bleach.Linker(
@@ -149,12 +150,13 @@ class TemplateBasedMailRenderer(BaseHTMLMailRenderer):
                callbacks=DEFAULT_CALLBACKS + [truelink_callback, abslink_callback],
                parse_email=True
            )
-            body_md = format_map(
-                body_md,
-                context=context,
-                mode=SafeFormatter.MODE_RICH_TO_HTML,
-                linkifier=linker
-            )
+            if apply_format_map:
+                body_md = format_map(
+                    body_md,
+                    context=context,
+                    mode=SafeFormatter.MODE_RICH_TO_HTML,
+                    linkifier=linker
+                )
        htmlctx = {
            'site': settings.PRETIX_INSTANCE_NAME,
            'site_url': settings.SITE_URL,
--- a/src/pretix/base/exporters/orderlist.py
+++ b/src/pretix/base/exporters/orderlist.py
@@ -651,6 +651,7 @@ class OrderListExporter(MultiSheetListExporter):
            pgettext('address', 'State'),
            _('Voucher'),
            _('Voucher budget usage'),
+            _('Voucher tag'),
            _('Pseudonymization ID'),
            _('Ticket secret'),
            _('Seat ID'),
@@ -769,6 +770,7 @@ class OrderListExporter(MultiSheetListExporter):
                    op.state_for_address or '',
                    op.voucher.code if op.voucher else '',
                    op.voucher_budget_use if op.voucher_budget_use else '',
+                    op.voucher.tag if op.voucher else '',
                    op.pseudonymization_id,
                    op.secret,
                ]
--- a/src/pretix/base/modelimport_vouchers.py
+++ b/src/pretix/base/modelimport_vouchers.py
@@ -132,7 +132,7 @@ class AllowIgnoreQuotaColumn(BooleanColumnMixin, ImportColumn):

 class PriceModeColumn(ImportColumn):
    identifier = 'price_mode'
-    verbose_name = gettext_lazy('Price mode')
+    verbose_name = gettext_lazy('Price effect')
    default_value = None
    initial = 'static:none'

@@ -147,7 +147,7 @@ class PriceModeColumn(ImportColumn):
        elif value in reverse:
            return reverse[value]
        else:
-            raise ValidationError(_("Could not parse {value} as a price mode, use one of {options}.").format(
+            raise ValidationError(_("Could not parse {value} as a price effect, use one of {options}.").format(
                value=value, options=', '.join(d.keys())
            ))

@@ -162,7 +162,7 @@ class ValueColumn(DecimalColumnMixin, ImportColumn):
    def clean(self, value, previous_values):
        value = super().clean(value, previous_values)
        if value and previous_values.get("price_mode") == "none":
-            raise ValidationError(_("It is pointless to set a value without a price mode."))
+            raise ValidationError(_("It is pointless to set a value without a price effect."))
        return value

    def assign(self, value, obj: Voucher, **kwargs):
--- a/src/pretix/base/models/orders.py
+++ b/src/pretix/base/models/orders.py
@@ -87,7 +87,7 @@ from pretix.base.timemachine import time_machine_now

 from ...helpers import OF_SELF
 from ...helpers.countries import CachedCountries, FastCountryField
-from ...helpers.format import format_map
+from ...helpers.format import FormattedString, format_map
 from ...helpers.names import build_name
 from ...testutils.middleware import debugflags_var
 from ._transactions import (
@@ -1178,7 +1178,8 @@ class Order(LockModel, LoggedModel):
                recipient = position.attendee_email

            email_content = render_mail(template, context)
-            subject = format_map(subject, context)
+            if not isinstance(subject, FormattedString):
+                subject = format_map(subject, context)
            mail(
                recipient, subject, template, context,
                self.event, self.locale, self, headers=headers, sender=sender,
@@ -2907,7 +2908,8 @@ class OrderPosition(AbstractPosition):
        with language(self.order.locale, self.order.event.settings.region):
            recipient = self.attendee_email
            email_content = render_mail(template, context)
-            subject = format_map(subject, context)
+            if not isinstance(subject, FormattedString):
+                subject = format_map(subject, context)
            mail(
                recipient, subject, template, context,
                self.event, self.order.locale, order=self.order, headers=headers, sender=sender,
--- a/src/pretix/base/models/vouchers.py
+++ b/src/pretix/base/models/vouchers.py
@@ -239,7 +239,7 @@ class Voucher(LoggedModel):
        )
    )
    price_mode = models.CharField(
-        verbose_name=_("Price mode"),
+        verbose_name=_("Price effect"),
        max_length=100,
        choices=PRICE_MODES,
        default='none'
--- a/src/pretix/base/payment.py
+++ b/src/pretix/base/payment.py
@@ -1650,7 +1650,8 @@ class GiftCardPayment(BasePaymentProvider):
                    action='pretix.giftcards.transaction.payment',
                    data={
                        'value': trans.value,
-                        'acceptor_id': self.event.organizer.id
+                        'acceptor_id': self.event.organizer.id,
+                        'acceptor_slug': self.event.organizer.slug
                    }
                )
        except PaymentException as e:
@@ -1682,6 +1683,7 @@ class GiftCardPayment(BasePaymentProvider):
            data={
                'value': refund.amount,
                'acceptor_id': self.event.organizer.id,
+                'acceptor_slug': self.event.organizer.slug,
                'text': refund.comment,
            }
        )
--- a/src/pretix/base/services/mail.py
+++ b/src/pretix/base/services/mail.py
@@ -81,7 +81,9 @@ from pretix.base.signals import (
 )
 from pretix.celery_app import app
 from pretix.helpers import OF_SELF
-from pretix.helpers.format import SafeFormatter, format_map
+from pretix.helpers.format import (
+    FormattedString, PlainHtmlAlternativeString, SafeFormatter, format_map,
+)
 from pretix.helpers.hierarkey import clean_filename
 from pretix.multidomain.urlreverse import build_absolute_uri
 from pretix.presale.ical import get_private_icals
@@ -218,6 +220,9 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
    if email == INVALID_ADDRESS:
        return

+    if isinstance(template, FormattedString):
+        raise TypeError("Cannot pass an already formatted body template")
+
    if no_order_links and not plain_text_only:
        raise ValueError('If you set no_order_links, you also need to set plain_text_only.')

@@ -251,23 +256,28 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
    if event and attach_tickets and not event.settings.mail_attach_tickets:
        attach_tickets = False

-    with language(locale):
+    with language(locale), override(timezone):
        if isinstance(context, dict) and order:
            _autoextend_context(context, order)

        # Build raw content
-        body_plain = render_mail(template, context, placeholder_mode=SafeFormatter.MODE_RICH_TO_PLAIN)
+        content_plain = render_mail(template, context, placeholder_mode=None)
        if settings_holder:
            signature = str(settings_holder.settings.get('mail_text_signature'))
        else:
            signature = ""

        # Build full plain-text body
+        if not isinstance(content_plain, FormattedString):
+            body_plain = format_map(content_plain, context, mode=SafeFormatter.MODE_RICH_TO_PLAIN)
+        else:
+            body_plain = content_plain
        body_plain = _wrap_plain_body(body_plain, signature, event, order, position, no_order_links)
-        body_plain = format_map(body_plain, context, mode=SafeFormatter.MODE_RICH_TO_PLAIN)

        # Build subject
-        subject = str(subject).format_map(TolerantDict(context))
+        if not isinstance(subject, FormattedString):
+            subject = format_map(subject, context)
+
        subject = raw_subject = subject.replace('\n', ' ').replace('\r', '')[:900]
        if settings_holder:
            subject = prefix_subject(settings_holder, subject)
@@ -286,26 +296,24 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
            else:
                renderer = ClassicMailRenderer(None, organizer)

-            with override(timezone):
-                content_plain = render_mail(template, context, placeholder_mode=None)
-                try:
-                    if 'context' in inspect.signature(renderer.render).parameters:
-                        body_html = renderer.render(content_plain, signature, raw_subject, order, position, context)
-                    elif 'position' in inspect.signature(renderer.render).parameters:
-                        # Backwards compatibility
-                        warnings.warn('Email renderer called without context argument because context argument is not '
-                                      'supported.',
-                                      DeprecationWarning)
-                        body_html = renderer.render(content_plain, signature, raw_subject, order, position)
-                    else:
-                        # Backwards compatibility
-                        warnings.warn('Email renderer called without position argument because position argument is not '
-                                      'supported.',
-                                      DeprecationWarning)
-                        body_html = renderer.render(content_plain, signature, raw_subject, order)
-                except:
-                    logger.exception('Could not render HTML body')
-                    body_html = None
+            try:
+                if 'context' in inspect.signature(renderer.render).parameters:
+                    body_html = renderer.render(content_plain, signature, raw_subject, order, position, context)
+                elif 'position' in inspect.signature(renderer.render).parameters:
+                    # Backwards compatibility
+                    warnings.warn('Email renderer called without context argument because context argument is not '
+                                  'supported.',
+                                  DeprecationWarning)
+                    body_html = renderer.render(content_plain, signature, raw_subject, order, position)
+                else:
+                    # Backwards compatibility
+                    warnings.warn('Email renderer called without position argument because position argument is not '
+                                  'supported.',
+                                  DeprecationWarning)
+                    body_html = renderer.render(content_plain, signature, raw_subject, order)
+            except:
+                logger.exception('Could not render HTML body')
+                body_html = None

        m = OutgoingMail.objects.create(
            organizer=organizer,
@@ -790,7 +798,12 @@ def render_mail(template, context, placeholder_mode: Optional[int]=SafeFormatter
            body = format_map(body, context, mode=placeholder_mode)
    else:
        tpl = get_template(template)
-        body = tpl.render(context)
+        context = {
+            # Known bug, should behave differently for plain and HTML but we'll fix after security release
+            k: v.html if isinstance(v, PlainHtmlAlternativeString) else v
+            for k, v in context.items()
+        }
+        body = FormattedString(tpl.render(context))
    return body


@@ -936,7 +949,7 @@ def _wrap_plain_body(content_plain, signature, event, order, position, no_order_
    body_plain += "\r\n\r\n-- \r\n"

    if signature:
-        signature = signature.format(event=event.name if event else '')
+        signature = format_map(signature, {"event": event.name if event else ''})
        body_plain += signature
        body_plain += "\r\n\r\n-- \r\n"

@@ -948,7 +961,7 @@ def _wrap_plain_body(content_plain, signature, event, order, position, no_order_
        body_plain += _(
            "You can view your order details at the following URL:\n{orderurl}."
        ).replace("\n", "\r\n").format(
-            event=event.name, orderurl=build_absolute_uri(
+            orderurl=build_absolute_uri(
                order.event, 'presale:event.order.position', kwargs={
                    'order': order.code,
                    'secret': position.web_secret,
--- a/src/pretix/base/services/orders.py
+++ b/src/pretix/base/services/orders.py
@@ -253,7 +253,8 @@ def reactivate_order(order: Order, force: bool=False, user: User=None, auth=None
                        auth=auth,
                        data={
                            'value': position.price,
-                            'acceptor_id': order.event.organizer.id
+                            'acceptor_id': order.event.organizer.id,
+                            'acceptor_slug': order.event.organizer.slug
                        }
                    )
                    break
@@ -563,6 +564,7 @@ def _cancel_order(order, user=None, send_mail: bool=True, api_token=None, device
                        data={
                            'value': -position.price,
                            'acceptor_id': order.event.organizer.id,
+                            'acceptor_slug': order.event.organizer.slug
                        }
                    )

@@ -2457,7 +2459,8 @@ class OrderChangeManager:
                            auth=self.auth,
                            data={
                                'value': -position.price,
-                                'acceptor_id': self.order.event.organizer.id
+                                'acceptor_id': self.order.event.organizer.id,
+                                'acceptor_slug': self.order.event.organizer.slug
                            }
                        )

@@ -2483,7 +2486,8 @@ class OrderChangeManager:
                                auth=self.auth,
                                data={
                                    'value': -opa.position.price,
-                                    'acceptor_id': self.order.event.organizer.id
+                                    'acceptor_id': self.order.event.organizer.id,
+                                    'acceptor_slug': self.order.event.organizer.slug
                                }
                            )

@@ -3453,6 +3457,7 @@ def signal_listener_issue_giftcards(sender: Event, order: Order, **kwargs):
                    data={
                        'value': trans.value,
                        'acceptor_id': order.event.organizer.id,
+                        'acceptor_slug': order.event.organizer.slug
                    }
                )
                any_giftcards = True
--- a/src/pretix/base/templates/404.html
+++ b/src/pretix/base/templates/404.html
@@ -8,9 +8,6 @@
        <h1>{% trans "Not found" %}</h1>
        <p>{% trans "I'm afraid we could not find the the resource you requested." %}</p>
        <p>{{ exception }}</p>
-        <p class="links">
-            <a id='goback' href='#'>{% trans "Take a step back" %}</a>
-        </p>
        {% if request.user.is_staff and not staff_session %}
            <form action="{% url 'control:user.sudo' %}?next={{ request.path|add:"?"|add:request.GET.urlencode|urlencode }}" method="post">
                <p>
--- a/src/pretix/control/templates/pretixcontrol/user/2fa_main.html
+++ b/src/pretix/control/templates/pretixcontrol/user/2fa_main.html
@@ -144,14 +144,23 @@
        </div>
        <div class="panel-body">
            <p>
-                {% trans "If you lose access to your devices, you can use one of the following keys to log in. We recommend to store them in a safe place, e.g. printed out or in a password manager. Every token can be used at most once." %}
+                {% blocktrans trimmed %}
+                    If you lose access to your devices, you can use one of your emergency tokens to log in.
+                    We recommend to store them in a safe place, e.g. printed out or in a password manager.
+                    Every token can be used at most once.
+                {% endblocktrans %}
            </p>
-            <p>{% trans "Unused tokens:" %}</p>
-            <ul>
-                {% for t in static_tokens %}
-                    <li><code>{{ t.token }}</code></li>
-                {% endfor %}
-            </ul>
+            {% if static_tokens_device %}
+                <p>
+                    {% blocktrans trimmed with generation_date_time=static_tokens_device.created_at %}
+                        You generated your emergency tokens on {{ generation_date_time }}.
+                    {% endblocktrans %}
+                </p>
+            {% else %}
+                <p>
+                    {% trans "You don't have any emergency tokens yet." %}
+                </p>
+            {% endif %}
            <a href="{% url "control:user.settings.2fa.regenemergency" %}" class="btn btn-default">
                <span class="fa fa-refresh"></span>
                {% trans "Generate new emergency tokens" %}
--- a/src/pretix/control/views/organizer.py
+++ b/src/pretix/control/views/organizer.py
@@ -1850,7 +1850,8 @@ class GiftCardDetailView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMi
                        data={
                            'value': value,
                            'text': request.POST.get('text'),
-                            'acceptor_id': self.request.organizer.id
+                            'acceptor_id': self.request.organizer.id,
+                            'acceptor_slug': self.request.organizer.slug
                        },
                        user=self.request.user,
                    )
@@ -1913,7 +1914,8 @@ class GiftCardCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMi
                user=self.request.user,
                data={
                    'value': form.cleaned_data['value'],
-                    'acceptor_id': self.request.organizer.id
+                    'acceptor_id': self.request.organizer.id,
+                    'acceptor_slug': self.request.organizer.slug
                }
            )
        return redirect(reverse(
--- a/src/pretix/control/views/user.py
+++ b/src/pretix/control/views/user.py
@@ -49,12 +49,14 @@ from django.db import transaction
 from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from django.utils.crypto import get_random_string
+from django.utils.decorators import method_decorator
 from django.utils.functional import cached_property
 from django.utils.html import format_html
 from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django.views import View
+from django.views.decorators.cache import never_cache
 from django.views.generic import FormView, ListView, TemplateView, UpdateView
 from django_otp.plugins.otp_static.models import StaticDevice
 from django_otp.plugins.otp_totp.models import TOTPDevice
@@ -85,8 +87,9 @@ logger = logging.getLogger(__name__)


 class RecentAuthenticationRequiredMixin:
-    max_time = 3600
+    max_time = 900

+    @method_decorator(never_cache)
    def dispatch(self, request, *args, **kwargs):
        tdelta = time.time() - request.session.get('pretix_auth_login_time', 0)
        if tdelta > self.max_time:
@@ -289,16 +292,13 @@ class User2FAMainView(RecentAuthenticationRequiredMixin, TemplateView):
        ctx = super().get_context_data()

        try:
-            ctx['static_tokens'] = StaticDevice.objects.get(user=self.request.user, name='emergency').token_set.all()
+            ctx['static_tokens_device'] = StaticDevice.objects.get(user=self.request.user, name='emergency')
        except StaticDevice.MultipleObjectsReturned:
-            ctx['static_tokens'] = StaticDevice.objects.filter(
+            ctx['static_tokens_device'] = StaticDevice.objects.filter(
                user=self.request.user, name='emergency'
-            ).first().token_set.all()
+            ).first()
        except StaticDevice.DoesNotExist:
-            d = StaticDevice.objects.create(user=self.request.user, name='emergency')
-            for i in range(10):
-                d.token_set.create(token=get_random_string(length=12, allowed_chars='1234567890'))
-            ctx['static_tokens'] = d.token_set.all()
+            ctx['static_tokens_device'] = None

        ctx['devices'] = []
        for dt in REAL_DEVICE_TYPES:
@@ -631,7 +631,8 @@ class User2FARegenerateEmergencyView(RecentAuthenticationRequiredMixin, Template
        self.request.user.update_session_token()
        update_session_auth_hash(self.request, self.request.user)
        messages.success(request, _('Your emergency codes have been newly generated. Remember to store them in a safe '
-                                    'place in case you lose access to your devices.'))
+                                    'place in case you lose access to your devices. You will not be able to view them '
+                                    'again here.\n\nYour emergency codes:\n- ' + '\n- '.join(t.token for t in d.token_set.all())))
        return redirect(reverse('control:user.settings.2fa'))


--- a/src/pretix/helpers/cookies.py
+++ b/src/pretix/helpers/cookies.py
@@ -34,7 +34,10 @@ def set_cookie_without_samesite(request, response, key, *args, **kwargs):
    if not is_secure:
        # https://www.chromestatus.com/feature/5633521622188032
        return
-    if should_send_same_site_none(request.headers.get('User-Agent', '')):
+
+    useragent = request.headers.get('User-Agent', '')
+
+    if should_send_same_site_none(useragent):
        # Chromium is rolling out SameSite=Lax as a default
        # https://www.chromestatus.com/feature/5088147346030592
        # This however breaks all pretix-in-an-iframe things, such as the pretix Widget.
@@ -44,8 +47,29 @@ def set_cookie_without_samesite(request, response, key, *args, **kwargs):
        # This will only work on secure cookies as well
        # https://www.chromestatus.com/feature/5633521622188032
        response.cookies[key]['secure'] = is_secure
-        # CHIPS
-        response.cookies[key]['Partitioned'] = True
+
+        if can_send_partitioned_cookie(useragent):
+            # CHIPS
+            response.cookies[key]['Partitioned'] = True
+
+
+def can_send_partitioned_cookie(useragent):
+    # Safari currently exhibits a bug where Partitioned cookies (CHIPS) are not
+    # sent back to the originating site after multi-hop cross-site redirects,
+    # breaking SSO login flows in pretix.
+    #
+    # Partitioned cookies were initially introduced in Safari 18.4, removed
+    # again in 18.5 due to a bug, and reintroduced in Safari 26.2, where the
+    # current issue is present.
+    #
+    # Once the Safari issue is fixed, this check should be refined to be
+    # conditional on the affected versions only.
+    #
+    # WebKit issues:
+    #
+    #   - https://bugs.webkit.org/show_bug.cgi?id=292975
+    #   - https://bugs.webkit.org/show_bug.cgi?id=306194
+    return not is_safari(useragent)


 # Based on https://www.chromium.org/updates/same-site/incompatible-clients
--- a/src/pretix/helpers/format.py
+++ b/src/pretix/helpers/format.py
@@ -22,6 +22,7 @@
 import logging
 from string import Formatter

+from django.core.exceptions import SuspiciousOperation
 from django.utils.html import conditional_escape

 logger = logging.getLogger(__name__)
@@ -37,6 +38,17 @@ class PlainHtmlAlternativeString:
        return f"PlainHtmlAlternativeString('{self.plain}', '{self.html}')"


+class FormattedString(str):
+    """
+    A str subclass that has been specifically marked as "already formatted" for email rendering
+    purposes to avoid duplicate formatting.
+    """
+    __slots__ = ()
+
+    def __str__(self):
+        return self
+
+
 class SafeFormatter(Formatter):
    """
    Customized version of ``str.format`` that (a) behaves just like ``str.format_map`` and
@@ -77,8 +89,19 @@ class SafeFormatter(Formatter):
        # Ignore format_spec
        return super().format_field(self._prepare_value(value), '')

+    def convert_field(self, value, conversion):
+        # Ignore any conversions
+        if conversion is None:
+            return value
+        else:
+            return str(value)

-def format_map(template, context, raise_on_missing=False, mode=SafeFormatter.MODE_RICH_TO_PLAIN, linkifier=None):
+
+def format_map(template, context, raise_on_missing=False, mode=SafeFormatter.MODE_RICH_TO_PLAIN, linkifier=None) -> FormattedString:
+    if isinstance(template, FormattedString):
+        raise SuspiciousOperation("Calling format_map() on an already formatted string is likely unsafe.")
    if not isinstance(template, str):
        template = str(template)
-    return SafeFormatter(context, raise_on_missing, mode=mode, linkifier=linkifier).format(template)
+    return FormattedString(
+        SafeFormatter(context, raise_on_missing, mode=mode, linkifier=linkifier).format(template)
+    )
--- a/src/pretix/locale/ja/LC_MESSAGES/django.po
+++ b/src/pretix/locale/ja/LC_MESSAGES/django.po
@@ -8,8 +8,8 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-01-26 13:19+0000\n"
-"PO-Revision-Date: 2026-02-06 07:41+0000\n"
-"Last-Translator: Ryo Tagami <rtagami@airstrip.jp>\n"
+"PO-Revision-Date: 2026-02-12 20:00+0000\n"
+"Last-Translator: Yasunobu YesNo Kawaguchi <kawaguti@gmail.com>\n"
 "Language-Team: Japanese <https://translate.pretix.eu/projects/pretix/pretix/"
 "ja/>\n"
 "Language: ja\n"
@@ -2544,7 +2544,7 @@ msgstr "終了日"
 #: pretix/presale/templates/pretixpresale/event/fragment_cart.html:12
 #: pretix/presale/templates/pretixpresale/organizers/customer_membership.html:91
 msgid "Product"
-msgstr "商品"
+msgstr "製品"

 #: pretix/base/exporters/orderlist.py:652 pretix/base/models/vouchers.py:315
 #: pretix/control/templates/pretixcontrol/vouchers/bulk.html:5
@@ -4048,7 +4048,7 @@ msgstr "複数の一致する製品が見つかりました。"
 #: pretix/base/modelimport_vouchers.py:205 pretix/base/models/items.py:1257
 #: pretix/base/models/vouchers.py:266 pretix/base/models/waitinglist.py:100
 msgid "Product variation"
-msgstr "商品バリエーション"
+msgstr "製品バリエーション"

 #: pretix/base/modelimport_orders.py:161
 msgid "The variation can be specified by its internal ID or full name."
@@ -9144,8 +9144,8 @@ msgid ""
 "The voucher code used for one of the items in your cart has already been too "
 "often. We adjusted the price of the item in your cart."
 msgstr ""
-"カートの商品の一つに使用されているバウチャーコードは既に使用回数を超えていま"
-"す。カート内の商品価格を調整しました。"
+"カート内のアイテムに使用されたバウチャーコードは、すでに使用回数の上限に達し"
+"ています。カート内のアイテムの価格を調整しました。"

 #: pretix/base/services/orders.py:182
 msgid ""
@@ -24181,7 +24181,7 @@ msgstr "高度な検索"
 #: pretix/control/templates/pretixcontrol/orders/index.html:102
 #, python-format
 msgid "List filtered by answers to question \"%(question)s\"."
-msgstr "質問 \"%(question)s\" への回答で絞り込まれたリスト"
+msgstr "質問「%(question)s」への回答で絞り込まれたリストです。"

 #: pretix/control/templates/pretixcontrol/orders/index.html:107
 msgid "Remove filter"
@@ -34229,8 +34229,8 @@ msgid ""
 "The items in your cart are no longer reserved for you. You can still "
 "complete your order as long as they’re available."
 msgstr ""
-"カート内の商品の確保期限が切れました。在庫があれば、このまま注文を完了するこ"
-"とができます。"
+"カート内のアイテムの予約が解除されました。在庫がある限り、引き続き注文を完了"
+"できます。"

 #: pretix/presale/templates/pretixpresale/event/fragment_cart.html:514
 #: pretix/presale/templates/pretixpresale/fragment_modals.html:48
@@ -34243,7 +34243,7 @@ msgstr "確保が更新されました"

 #: pretix/presale/templates/pretixpresale/event/fragment_cart.html:532
 msgid "Overview of your ordered products."
-msgstr "注文した製品の概要"
+msgstr "注文した製品の概要。"

 #: pretix/presale/templates/pretixpresale/event/fragment_cart_box.html:50
 msgid "Continue with order process"
--- a/src/pretix/locale/ja/LC_MESSAGES/djangojs.po
+++ b/src/pretix/locale/ja/LC_MESSAGES/djangojs.po
@@ -8,8 +8,8 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-01-26 09:10+0000\n"
-"PO-Revision-Date: 2026-02-06 07:41+0000\n"
-"Last-Translator: Ryo Tagami <rtagami@airstrip.jp>\n"
+"PO-Revision-Date: 2026-02-12 20:00+0000\n"
+"Last-Translator: Yasunobu YesNo Kawaguchi <kawaguti@gmail.com>\n"
 "Language-Team: Japanese <https://translate.pretix.eu/projects/pretix/pretix-"
 "js/ja/>\n"
 "Language: ja\n"
@@ -456,11 +456,11 @@ msgstr "="

 #: pretix/static/pretixcontrol/js/ui/checkinrules.js:99
 msgid "Product"
-msgstr "商品"
+msgstr "製品"

 #: pretix/static/pretixcontrol/js/ui/checkinrules.js:103
 msgid "Product variation"
-msgstr "商品バリエーション"
+msgstr "製品バリエーション"

 #: pretix/static/pretixcontrol/js/ui/checkinrules.js:107
 msgid "Gate"
@@ -726,8 +726,8 @@ msgid ""
 "The items in your cart are no longer reserved for you. You can still "
 "complete your order as long as they’re available."
 msgstr ""
-"カート内の商品の確保期限が切れました。在庫があれば、このまま注文を完了するこ"
-"とができます。"
+"カート内のアイテムの予約が解除されました。在庫がある限り、引き続き注文を完了"
+"できます。"

 #: pretix/static/pretixpresale/js/ui/cart.js:49
 msgid "Cart expired"
--- a/src/pretix/locale/nl/LC_MESSAGES/django.po
+++ b/src/pretix/locale/nl/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgstr ""
 "Project-Id-Version: 1\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-01-26 13:19+0000\n"
-"PO-Revision-Date: 2026-02-05 23:00+0000\n"
+"PO-Revision-Date: 2026-02-12 00:00+0000\n"
 "Last-Translator: Ruud Hendrickx <ruud@leckxicon.eu>\n"
 "Language-Team: Dutch <https://translate.pretix.eu/projects/pretix/pretix/nl/>"
 "\n"
@@ -7993,11 +7993,11 @@ msgid ""
 "12345 Any City\n"
 "Atlantis"
 msgstr ""
-"Piet Peeters\n"
+"Piet Janssen\n"
 "Voorbeeldbedrijf\n"
 "Sesamstraat 42\n"
-"12345 Ergens\n"
-"Niemandsland"
+"1234 AB  Amsterdam\n"
+"Nederland"

 #: pretix/base/pdf.py:198
 msgid "Attendee street"
--- a/src/pretix/locale/nl_BE/LC_MESSAGES/django.po
+++ b/src/pretix/locale/nl_BE/LC_MESSAGES/django.po
--- a/src/pretix/locale/nl_Informal/LC_MESSAGES/django.po
+++ b/src/pretix/locale/nl_Informal/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-01-26 13:19+0000\n"
-"PO-Revision-Date: 2026-02-05 23:00+0000\n"
+"PO-Revision-Date: 2026-02-12 00:00+0000\n"
 "Last-Translator: Ruud Hendrickx <ruud@leckxicon.eu>\n"
 "Language-Team: Dutch (informal) <https://translate.pretix.eu/projects/pretix/"
 "pretix/nl_Informal/>\n"
@@ -8002,9 +8002,9 @@ msgid ""
 "Atlantis"
 msgstr ""
 "Piet Janssen\n"
-"Voorbeeld bedrijf\n"
+"Voorbeeldbedrijf\n"
 "Sesamstraat 42\n"
-"1234AB Amsterdam\n"
+"1234 AB  Amsterdam\n"
 "Nederland"

 #: pretix/base/pdf.py:198
@@ -21786,9 +21786,9 @@ msgid ""
 "copy all products, categories, quotas, and questions as well as general "
 "event settings."
 msgstr ""
-"Wil je de instellingen van een ander evenement kopiëren? We zullen alle "
-"producten, categorieën, quota en vragen overnemen, samen met de algemene "
-"evenementsinstellingen."
+"Wil je de configuratie van een ander evenement kopiëren? We kopiëren alle "
+"producten, categorieën, quota en vragen, evenals de algemene "
+"evenementinstellingen."

 #: pretix/control/templates/pretixcontrol/events/create_copy.html:13
 msgid ""
@@ -21796,25 +21796,25 @@ msgid ""
 "need to change some settings manually, e.g. date and time settings and texts "
 "that contain the event name."
 msgstr ""
-"Controleer alle instellingen! Je moet waarschijnlijk nog steeds wat "
-"instellingen handmatig aanpassen, bijvoorbeeld datum- en tijdsinstellingen, "
-"en teksten die de evenementsnaam bevatten."
+"Controleer alle instellingen zorgvuldig. Waarschijnlijk moet je nog enkele "
+"instellingen handmatig wijzigen, bijvoorbeeld de datum- en tijdinstellingen "
+"en teksten die de naam van het evenement bevatten."

 #: pretix/control/templates/pretixcontrol/events/create_foundation.html:7
 msgid "Event type"
-msgstr "Evenementssoort"
+msgstr "Type evenement"

 #: pretix/control/templates/pretixcontrol/events/create_foundation.html:13
 msgid "Singular event or non-event shop"
-msgstr "Enkel evenement of winkel die niet voor een evenement is"
+msgstr "Eenmalig evenement of geen evenement"

 #: pretix/control/templates/pretixcontrol/events/create_foundation.html:15
 msgid ""
 "An event with individual configuration. If you create more events later, you "
 "can copy the event to save yourself some work."
 msgstr ""
-"Een evenement met eigen instellingen. Als je later meer evenementen aanmaakt "
-"kan je de instellingen van dit evenement kopiëren."
+"Een evenement met eigen instellingen. Als je later meer evenementen "
+"aanmaakt, kan je de instellingen van dit evenement kopiëren."

 #: pretix/control/templates/pretixcontrol/events/create_foundation.html:21
 msgid ""
@@ -21834,8 +21834,8 @@ msgid ""
 "A series of events that share the same configuration. They can still be "
 "different in their dates, locations, prices, and capacities."
 msgstr ""
-"Een reeks evenementen die dezelfde instellingen delen. De evenementen in de "
-"reeks kunnen verschillen in hun datums, prijzen en capaciteiten."
+"Een reeks evenementen met dezelfde configuratie. Ze kunnen nog steeds "
+"verschillen qua data, locaties, prijzen en capaciteiten."

 #: pretix/control/templates/pretixcontrol/events/create_foundation.html:40
 msgid ""
@@ -21861,9 +21861,8 @@ msgid ""
 "The list below shows all events you have administrative access to. Click on "
 "the event name to access event details."
 msgstr ""
-"De lijst hieronder toont alle evenementen waar je administratieve toegang "
-"toe hebt. Klik op de evenementsnaam om de details van het evenement te "
-"openen."
+"De onderstaande lijst toont alle evenementen waar je beheerderstoegang toe "
+"hebt. Klik op de naam van het evenement om de details ervan te bekijken."

 #: pretix/control/templates/pretixcontrol/events/index.html:12
 #: pretix/control/templates/pretixcontrol/organizers/detail.html:18
@@ -21923,7 +21922,7 @@ msgstr "Aantallen bijgewerkt op %(date)s"
 #: pretix/control/templates/pretixcontrol/fragment_quota_box_paid.html:3
 #, python-format
 msgid "Currently available: %(num)s"
-msgstr "Op dit moment beschikbaar: %(num)s"
+msgstr "Nu beschikbaar: %(num)s"

 #: pretix/control/templates/pretixcontrol/global_license.html:8
 msgid ""
@@ -21973,7 +21972,7 @@ msgstr "Installatiegegevens"

 #: pretix/control/templates/pretixcontrol/global_license.html:34
 msgid "Installed plugins"
-msgstr "Geïnstalleerde plugins"
+msgstr "Geïnstalleerde plug-ins"

 #: pretix/control/templates/pretixcontrol/global_license.html:40
 msgid "Public information"
--- a/src/pretix/locale/th/LC_MESSAGES/django.po
+++ b/src/pretix/locale/th/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-01-26 13:19+0000\n"
-"PO-Revision-Date: 2026-02-05 14:34+0000\n"
+"PO-Revision-Date: 2026-02-14 06:10+0000\n"
 "Last-Translator: Nate Horst <nate@agcthailand.org>\n"
 "Language-Team: Thai <https://translate.pretix.eu/projects/pretix/pretix/th/>"
 "\n"
@@ -1000,7 +1000,7 @@ msgstr "โดเมนอีเมลที่ใช้สั่งซื้อ
 #: pretix/plugins/reports/exporters.py:900
 #: pretix/plugins/ticketoutputpdf/exporters.py:96
 msgid "Order code"
-msgstr "รหัสการสั่งซื้อ"
+msgstr "รหัสการลงทะเบียน"

 #: pretix/base/datasync/sourcefields.py:380
 msgid "Event and order code"
@@ -7190,7 +7190,7 @@ msgstr "สินค้าที่ซื้อแล้ว"
 #: pretix/base/services/placeholders.py:424
 #: pretix/base/templates/pretixbase/email/order_details.html:151
 msgid "View order details"
-msgstr "ดูรายละเอียดคำสั่งซื้อ"
+msgstr "ดูรายละเอียดการลงทะเบียน"

 #: pretix/base/notifications.py:234
 #, python-brace-format
@@ -11567,7 +11567,7 @@ msgstr ""
 #: pretix/base/settings.py:2856 pretix/base/settings.py:2872
 #, python-brace-format
 msgid "Your ticket is ready for download: {code}"
-msgstr ""
+msgstr "ตั๋วของคุณพร้อมสำหรับการดาวน์โหลดแล้ว: {code}"

 #: pretix/base/settings.py:2860
 #, python-brace-format
@@ -12477,7 +12477,7 @@ msgstr ""
 #: pretix/presale/templates/pretixpresale/event/base.html:222
 #: pretix/presale/templates/pretixpresale/organizers/base.html:100
 msgid "Contact"
-msgstr ""
+msgstr "ติดต่อ"

 #: pretix/base/templates/pretixbase/email/shred_completed.txt:2
 #, python-format
@@ -12548,21 +12548,23 @@ msgstr ""

 #: pretix/base/templates/source.html:5 pretix/base/templates/source.html:9
 msgid "Source code"
-msgstr ""
+msgstr "ซอร์สโค้ด (Source code)"

 #: pretix/base/templates/source.html:10
 msgid ""
 "This site is powered by free software. If you want to read the license terms "
 "or obtain the source code, follow these links or instructions:"
 msgstr ""
+"เว็บไซต์นี้ขับเคลื่อนโดยซอฟต์แวร์เสรี หากคุณต้องการอ่านเงื่อนไขการอนุญาตใช้งานหรือรับซอร์สโค้ด โปร"
+"ดไปที่ลิงก์หรือคำแนะนำต่อไปนี้:"

 #: pretix/base/ticketoutput.py:182
 msgid "Enable ticket format"
-msgstr ""
+msgstr "เปิดใช้งานรูปแบบตั๋ว"

 #: pretix/base/ticketoutput.py:200
 msgid "Download ticket"
-msgstr ""
+msgstr "ดาวน์โหลดตั๋ว"

 #: pretix/base/timeframes.py:49
 msgctxt "reporting_timeframe"
@@ -19827,7 +19829,7 @@ msgstr ""
 #: pretix/presale/templates/pretixpresale/event/fragment_downloads.html:7
 #: pretix/presale/templates/pretixpresale/event/fragment_downloads.html:40
 msgid "Ticket download"
-msgstr ""
+msgstr "ดาวน์โหลดตั๋ว"

 #: pretix/control/templates/pretixcontrol/event/tickets.html:11
 msgid "Download settings"
@@ -21760,27 +21762,27 @@ msgstr ""

 #: pretix/control/templates/pretixcontrol/order/index.html:410
 msgid "Change products"
-msgstr ""
+msgstr "เปลี่ยนรายการสินค้า"

 #: pretix/control/templates/pretixcontrol/order/index.html:415
 #: pretix/presale/templates/pretixpresale/event/order.html:197
 msgid "Ordered items"
-msgstr ""
+msgstr "รายการสินค้าที่สั่งซื้อ"

 #: pretix/control/templates/pretixcontrol/order/index.html:434
 #, python-format
 msgid "Denied scan: %(date)s"
-msgstr ""
+msgstr "การสแกนถูกปฏิเสธ: %(date)s"

 #: pretix/control/templates/pretixcontrol/order/index.html:439
 #, python-format
 msgid "Exit scan: %(date)s"
-msgstr ""
+msgstr "สแกนขาออก: %(date)s"

 #: pretix/control/templates/pretixcontrol/order/index.html:446
 #, python-format
 msgid "Entry scan: %(date)s"
-msgstr ""
+msgstr "สแกนขาเข้า: %(date)s"

 #: pretix/control/templates/pretixcontrol/order/index.html:465
 #: pretix/presale/templates/pretixpresale/event/fragment_cart.html:55
@@ -21922,7 +21924,7 @@ msgstr ""
 #: pretix/presale/templates/pretixpresale/event/checkout_confirm.html:90
 #: pretix/presale/templates/pretixpresale/event/order.html:318
 msgid "ZIP code and city"
-msgstr ""
+msgstr "รหัสไปรษณีย์ และชื่อเมือง"

 #: pretix/control/templates/pretixcontrol/order/index.html:1047
 msgid "Valid EU VAT ID"
@@ -30726,46 +30728,46 @@ msgstr ""

 #: pretix/plugins/ticketoutputpdf/ticketoutput.py:65
 msgid "Download tickets (PDF)"
-msgstr ""
+msgstr "ดาวน์โหลดตั๋ว (PDF)"

 #: pretix/plugins/ticketoutputpdf/ticketoutput.py:66
 msgid "Download ticket (PDF)"
-msgstr ""
+msgstr "ดาวน์โหลดตั๋ว (PDF)"

 #: pretix/plugins/ticketoutputpdf/views.py:62
 msgid "Default ticket layout"
-msgstr ""
+msgstr "รูปแบบตั๋วมาตรฐาน"

 #: pretix/plugins/ticketoutputpdf/views.py:119
 msgid "The new ticket layout has been created."
-msgstr ""
+msgstr "สร้างรูปแบบตั๋วใหม่เรียบร้อยแล้ว"

 #: pretix/plugins/ticketoutputpdf/views.py:168
 #: pretix/plugins/ticketoutputpdf/views.py:198
 #: pretix/plugins/ticketoutputpdf/views.py:246
 msgid "The requested layout does not exist."
-msgstr ""
+msgstr "ไม่พบรูปแบบตั๋วที่ร้องขอ"

 #: pretix/plugins/ticketoutputpdf/views.py:210
 msgid "The selected ticket layout been deleted."
-msgstr ""
+msgstr "รูปแบบตั๋วที่เลือกถูกลบออกแล้ว"

 #: pretix/plugins/ticketoutputpdf/views.py:250
 #, python-brace-format
 msgid "Ticket PDF layout: {}"
-msgstr ""
+msgstr "รูปแบบไฟล์ PDF ของตั๋ว: {}"

 #: pretix/plugins/webcheckin/apps.py:30 pretix/plugins/webcheckin/apps.py:33
 msgid "Web-based check-in"
-msgstr ""
+msgstr "การเช็คอินผ่านเว็บ"

 #: pretix/plugins/webcheckin/apps.py:38
 msgid "Turn your browser into a check-in device to perform access control."
-msgstr ""
+msgstr "เปลี่ยนเบราว์เซอร์ของคุณให้เป็นอุปกรณ์เช็คอินเพื่อควบคุมการเข้างาน"

 #: pretix/plugins/webcheckin/apps.py:40 pretix/plugins/webcheckin/signals.py:36
 msgid "Web Check-in"
-msgstr ""
+msgstr "เว็บเช็คอิน (Web Check-in)"

 #: pretix/presale/checkoutflow.py:117
 msgctxt "checkoutflow"
@@ -31188,7 +31190,7 @@ msgstr ""
 #: pretix/presale/templates/pretixpresale/event/base.html:242
 #: pretix/presale/templates/pretixpresale/organizers/base.html:120
 msgid "Imprint"
-msgstr ""
+msgstr "ข้อมูลทางกฎหมาย (Imprint)"

 #: pretix/presale/templates/pretixpresale/event/checkout_addons.html:12
 msgid ""
@@ -32075,24 +32077,25 @@ msgstr ""
 #: pretix/presale/templates/pretixpresale/event/fragment_downloads.html:76
 #: pretix/presale/templates/pretixpresale/event/fragment_downloads.html:82
 msgid "Please have your ticket ready when entering the event."
-msgstr ""
+msgstr "โปรดเตรียมตั๋วของคุณให้พร้อมเมื่อเข้าสู่งาน"

 #: pretix/presale/templates/pretixpresale/event/fragment_downloads.html:85
 msgid "Download your tickets using the buttons below."
-msgstr ""
+msgstr "ดาวน์โหลดตั๋วของคุณโดยใช้ปุ่มด้านล่างนี้"

 #: pretix/presale/templates/pretixpresale/event/fragment_downloads.html:94
 #, python-format
 msgid "You will be able to download your tickets here starting on %(date)s."
 msgstr ""
+"คุณจะสามารถดาวน์โหลดตั๋วของคุณได้ที่นี่ ตั้งแต่วันที่ %(date)s เป็นต้นไป"

 #: pretix/presale/templates/pretixpresale/event/fragment_event_info.html:7
 msgid "Where does the event happen?"
-msgstr ""
+msgstr "กิจกรรมจัดขึ้นที่ไหน?"

 #: pretix/presale/templates/pretixpresale/event/fragment_event_info.html:17
 msgid "When does the event happen?"
-msgstr ""
+msgstr "กิจกรรมจัดขึ้นเมื่อไหร่?"

 #: pretix/presale/templates/pretixpresale/event/fragment_event_info.html:26
 #, python-format
@@ -32491,7 +32494,7 @@ msgstr ""

 #: pretix/presale/templates/pretixpresale/event/order.html:287
 msgid "Your information"
-msgstr ""
+msgstr "ข้อมูลของคุณ"

 #: pretix/presale/templates/pretixpresale/event/order.html:290
 msgid "Change your information"
--- a/src/pretix/plugins/banktransfer/templates/pretixplugins/banktransfer/pending.html
+++ b/src/pretix/plugins/banktransfer/templates/pretixplugins/banktransfer/pending.html
@@ -21,10 +21,10 @@
            <dt>{% trans "Reference code (important):" %}</dt><dd><b>{{ code }}</b></dd>
            <dt>{% trans "Amount:" %}</dt><dd>{{ amount|money:event.currency }}</dd>
            {% if settings.bank_details_type == "sepa" %}
-                <dt>{% trans "Account holder" %}:</dt><dd>{{ settings.bank_details_sepa_name }}</dt>
-                <dt>{% trans "IBAN" %}:</dt><dd>{{ settings.bank_details_sepa_iban|ibanformat }}</dt>
-                <dt>{% trans "BIC" %}:</dt><dd>{{ settings.bank_details_sepa_bic }}</dt>
-                <dt>{% trans "Bank" %}:</dt><dd>{{ settings.bank_details_sepa_bank }}</dt>
+                <dt>{% trans "Account holder" %}:</dt><dd>{{ settings.bank_details_sepa_name }}</dd>
+                <dt>{% trans "IBAN" %}:</dt><dd>{{ settings.bank_details_sepa_iban|ibanformat }}</dd>
+                <dt>{% trans "BIC" %}:</dt><dd>{{ settings.bank_details_sepa_bic }}</dd>
+                <dt>{% trans "Bank" %}:</dt><dd>{{ settings.bank_details_sepa_bank }}</dd>
            {% endif %}
        </dl>
        {% if details %}
@@ -38,4 +38,4 @@
    {% if payment_qr_codes %}
        {% include "pretixpresale/event/payment_qr_codes.html" %}
    {% endif %}
-</div>
+</div>
--- a/src/pretix/plugins/paypal2/payment.py
+++ b/src/pretix/plugins/paypal2/payment.py
@@ -786,23 +786,29 @@ class PaypalMethod(BasePaymentProvider):
                else:
                    pp_captured_order = response.result

-                for purchaseunit in pp_captured_order.purchase_units:
-                    for capture in purchaseunit.payments.captures:
-                        try:
-                            ReferencedPayPalObject.objects.get_or_create(order=payment.order, payment=payment, reference=capture.id)
-                        except ReferencedPayPalObject.MultipleObjectsReturned:
-                            pass
-
-                        if capture.status != 'COMPLETED':
-                            messages.warning(request, _('PayPal has not yet approved the payment. We will inform you as '
-                                                        'soon as the payment completed.'))
-                            payment.info = json.dumps(pp_captured_order.dict())
-                            payment.state = OrderPayment.PAYMENT_STATE_PENDING
-                            payment.save()
-                            return
-
            payment.refresh_from_db()

+            any_captures = False
+            all_captures_completed = True
+            for purchaseunit in pp_captured_order.purchase_units:
+                for capture in purchaseunit.payments.captures:
+                    try:
+                        ReferencedPayPalObject.objects.get_or_create(order=payment.order, payment=payment, reference=capture.id)
+                    except ReferencedPayPalObject.MultipleObjectsReturned:
+                        pass
+
+                    if capture.status != 'COMPLETED':
+                        all_captures_completed = False
+                    else:
+                        any_captures = True
+            if not (any_captures and all_captures_completed):
+                messages.warning(request, _('PayPal has not yet approved the payment. We will inform you as '
+                                            'soon as the payment completed.'))
+                payment.info = json.dumps(pp_captured_order.dict())
+                payment.state = OrderPayment.PAYMENT_STATE_PENDING
+                payment.save()
+                return
+
            if pp_captured_order.status != 'COMPLETED':
                payment.fail(info=pp_captured_order.dict())
                logger.error('Invalid state: %s' % repr(pp_captured_order.dict()))
--- a/src/pretix/plugins/stripe/payment.py
+++ b/src/pretix/plugins/stripe/payment.py
@@ -118,6 +118,7 @@ logger = logging.getLogger('pretix.plugins.stripe')
 # - UPI: ✗
 # - Netbanking: ✗
 # - TWINT: ✓
+# - Wero: ✓ (No settings UI yet)
 #
 # Bank transfers
 # - ACH Bank Transfer: ✗
@@ -509,6 +510,15 @@ class StripeSettingsHolder(BasePaymentProvider):
                                 'before they work properly.'),
                     required=False,
                 )),
+                # Disabled for now, since still in closed Beta and only available to dedicated boarded accounts.
+                # ('method_wero',
+                #  forms.BooleanField(
+                #     label=_('Wero'),
+                #      disabled=self.event.currency not in 'EUR',
+                #      help_text=_('Some payment methods might need to be enabled in the settings of your Stripe account '
+                #                  'before they work properly.'),
+                #      required=False,
+                #  )),
            ] + extra_fields + list(super().settings_form_fields.items()) + moto_settings
        )
        if not self.settings.connect_client_id or self.settings.secret_key:
@@ -1946,3 +1956,15 @@ class StripeMobilePay(StripeRedirectMethod):
                "type": "mobilepay",
            },
        }
+
+
+class StripeWero(StripeRedirectMethod):
+    identifier = 'stripe_wero'
+    verbose_name = _('WERO via Stripe')
+    public_name = 'WERO'
+    method = 'wero'
+    confirmation_method = 'automatic'
+    explanation = _(
+        'This payment method is available to European online banking users, whose banking institutions support WERO '
+        'either through their native banking apps or through the WERO wallet app. Please have you app ready.'
+    )
--- a/src/pretix/plugins/stripe/signals.py
+++ b/src/pretix/plugins/stripe/signals.py
@@ -49,14 +49,14 @@ def register_payment_provider(sender, **kwargs):
        StripeMultibanco, StripePayByBank, StripePayPal, StripePromptPay,
        StripePrzelewy24, StripeRevolutPay, StripeSEPADirectDebit,
        StripeSettingsHolder, StripeSofort, StripeSwish, StripeTwint,
-        StripeWeChatPay,
+        StripeWeChatPay, StripeWero,
    )

    return [
        StripeSettingsHolder, StripeCC, StripeGiropay, StripeIdeal, StripeAlipay, StripeBancontact,
        StripeSofort, StripeEPS, StripeMultibanco, StripePayByBank, StripePrzelewy24, StripePromptPay, StripeRevolutPay,
        StripeWeChatPay, StripeSEPADirectDebit, StripeAffirm, StripeKlarna, StripePayPal, StripeSwish,
-        StripeTwint, StripeMobilePay
+        StripeTwint, StripeMobilePay, StripeWero
    ]


--- a/src/pretix/presale/context.py
+++ b/src/pretix/presale/context.py
@@ -179,6 +179,7 @@ def _default_context(request):
    ctx['html_page_header'] = "".join(h for h in _html_page_header if h)
    ctx['footer'] = _footer
    ctx['site_url'] = settings.SITE_URL
+    ctx['request_get_items'] = request.GET.items()

    ctx['js_datetime_format'] = get_javascript_format_without_seconds('DATETIME_INPUT_FORMATS')
    ctx['js_date_format'] = get_javascript_format_without_seconds('DATE_INPUT_FORMATS')
--- a/src/pretix/presale/templates/pretixpresale/event/fragment_subevent_calendar.html
+++ b/src/pretix/presale/templates/pretixpresale/event/fragment_subevent_calendar.html
@@ -15,7 +15,7 @@
        </li>
        <li class="text-center">
            <form class="form-inline" method="get" id="monthselform" action="{% eventurl event "presale:event.index" cart_namespace=cart_namespace %}">
-                {% for f, v in request.GET.items %}
+                {% for f, v in request_get_items %}
                    {% if f != "date" %}
                        <input type="hidden" name="{{ f }}" value="{{ v }}">
                    {% endif %}
--- a/src/pretix/presale/templates/pretixpresale/event/fragment_subevent_calendar_week.html
+++ b/src/pretix/presale/templates/pretixpresale/event/fragment_subevent_calendar_week.html
@@ -15,7 +15,7 @@
        </li>
        <li class="text-center">
            <form class="form-inline" method="get" id="monthselform" action="{% eventurl event "presale:event.index" cart_namespace=cart_namespace %}">
-                {% for f, v in request.GET.items %}
+                {% for f, v in request_get_items %}
                    {% if f != "date" %}
                        <input type="hidden" name="{{ f }}" value="{{ v }}">
                    {% endif %}
--- a/src/pretix/presale/templates/pretixpresale/event/order.html
+++ b/src/pretix/presale/templates/pretixpresale/event/order.html
@@ -304,7 +304,7 @@
                            <dt>{% trans "Phone number" %}</dt>
                            <dd>{{ order.phone|phone_format }}</dd>
                        {% endif %}
-                        {% if invoice_address_asked %}
+                        {% if invoice_address_asked and order.invoice_address.is_business %}
                            <dt>{% trans "Company" %}</dt>
                            <dd>{{ order.invoice_address.company }}</dd>
                        {% endif %}
--- a/src/pretix/presale/templates/pretixpresale/event/resend_link.html
+++ b/src/pretix/presale/templates/pretixpresale/event/resend_link.html
@@ -1,14 +1,14 @@
 {% extends "pretixpresale/event/base.html" %}
 {% load i18n %}
 {% load bootstrap3 %}
-{% block title %}{% trans "Resend order links" %}{% endblock %}
+{% block title %}{% trans "Resend order link" %}{% endblock %}
 {% block custom_header %}
    {{ block.super }}
    <meta name="robots" content="noindex, nofollow">
 {% endblock %}
 {% block content %}
    <h2>
-        {% trans "Resend order links" %}
+        {% trans "Resend order link" %}
    </h2>
    <p>
        {% blocktrans trimmed %}
--- a/src/pretix/presale/templates/pretixpresale/fragment_event_list_filter.html
+++ b/src/pretix/presale/templates/pretixpresale/fragment_event_list_filter.html
@@ -7,7 +7,7 @@
 {% if filter_form.fields %}
    <form class="event-list-filter-form" method="get" data-save-scrollpos>
        <input type="hidden" name="filtered" value="1">
-        {% for f, v in request.GET.items %}
+        {% for f, v in request_get_items %}
            {% if f not in filter_form.fields and f != "page" %}
                <input type="hidden" name="{{ f }}" value="{{ v }}">
            {% endif %}
--- a/src/pretix/presale/templates/pretixpresale/organizers/calendar.html
+++ b/src/pretix/presale/templates/pretixpresale/organizers/calendar.html
@@ -47,7 +47,7 @@
                    </li>
                    <li class="text-center">
                        <form class="form-inline" method="get" id="monthselform" action="{% eventurl request.organizer "presale:organizer.index" %}">
-                            {% for f, v in request.GET.items %}
+                            {% for f, v in request_get_items %}
                                {% if f != "date" %}
                                    <input type="hidden" name="{{ f }}" value="{{ v }}">
                                {% endif %}
--- a/src/pretix/presale/templates/pretixpresale/organizers/calendar_day.html
+++ b/src/pretix/presale/templates/pretixpresale/organizers/calendar_day.html
@@ -47,7 +47,7 @@
                    </li>
                    <li class="text-center">
                        <form class="form-inline" method="get" id="monthselform" action="{% eventurl request.organizer "presale:organizer.index" %}">
-                            {% for f, v in request.GET.items %}
+                            {% for f, v in request_get_items %}
                                {% if f != "date" %}
                                    <input type="hidden" name="{{ f }}" value="{{ v }}">
                                {% endif %}
--- a/src/pretix/presale/templates/pretixpresale/organizers/calendar_week.html
+++ b/src/pretix/presale/templates/pretixpresale/organizers/calendar_week.html
@@ -47,7 +47,7 @@
                    </li>
                    <li class="text-center">
                        <form class="form-inline" method="get" id="monthselform" action="{% eventurl request.organizer "presale:organizer.index" %}">
-                            {% for f, v in request.GET.items %}
+                            {% for f, v in request_get_items %}
                                {% if f != "date" %}
                                    <input type="hidden" name="{{ f }}" value="{{ v }}">
                                {% endif %}
--- a/src/pretix/presale/views/order.py
+++ b/src/pretix/presale/views/order.py
@@ -1510,7 +1510,10 @@ class OrderChangeMixin:
                            'max_count': iao.max_count,
                            'iao': iao,
                            'items': [i for i in items if not i.require_voucher],
-                            'items_missing': {k: v for k, v in current_addon_products_missing.items() if v},
+                            'items_missing': {
+                                k: v for k, v in current_addon_products_missing.items()
+                                if v and k[0].category_id == iao.addon_category_id
+                            },
                        })

        return positions
--- a/src/pretix/static/pretixpresale/js/widget/widget.js
+++ b/src/pretix/static/pretixpresale/js/widget/widget.js
@@ -252,7 +252,7 @@ Vue.component('availbox', {
        variation: Object
    },
    mounted: function() {
-        if (this.$root.itemnum === 1 && (!this.$root.categories[0].items[0].has_variations || this.$root.categories[0].items[0].variations.length < 2) && !this.$root.has_seating_plan ? 1 : 0) {
+        if (!this.$root.cart_exists && this.$root.itemnum === 1 && (!this.$root.categories[0].items[0].has_variations || this.$root.categories[0].items[0].variations.length < 2) && !this.$root.has_seating_plan ? 1 : 0) {
            this.$refs.quantity.value = 1;    
            if (this.order_max === 1) {
                this.$refs.quantity.checked = true;
--- a/src/tests/api/test_checkin.py
+++ b/src/tests/api/test_checkin.py
@@ -1177,6 +1177,30 @@ def test_store_failed(token_client, organizer, clist, event, order):
    assert resp.status_code == 400


+@pytest.mark.django_db
+def test_store_failed_after_success(token_client, organizer, clist, event, order):
+    with scopes_disabled():
+        p = order.positions.first()
+        p.all_checkins.create(
+            type=Checkin.TYPE_ENTRY,
+            nonce='foobar',
+            successful=True,
+            list=clist,
+            raw_barcode=p.secret
+        )
+    resp = token_client.post('/api/v1/organizers/{}/events/{}/checkinlists/{}/failed_checkins/'.format(
+        organizer.slug, event.slug, clist.pk,
+    ), {
+        'raw_barcode': p.secret,
+        'nonce': 'foobar',
+        'position': p.pk,
+        'error_reason': 'unpaid'
+    }, format='json')
+    assert resp.status_code == 201
+    with scopes_disabled():
+        assert Checkin.all.filter(position=p).count() == 2
+
+
@pytest.mark.django_db
 def test_redeem_unknown(token_client, organizer, clist, event, order):
    resp = _redeem(token_client, organizer, clist, 'unknown_secret', {'force': True})
--- a/src/tests/base/test_mail.py
+++ b/src/tests/base/test_mail.py
@@ -32,21 +32,26 @@
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations under the License.

+import datetime
 import os
 import re
+from decimal import Decimal
 from email.mime.text import MIMEText

 import pytest
 from django.conf import settings
 from django.core import mail as djmail
 from django.test import override_settings
+from django.utils.html import escape
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
-from django_scopes import scope
+from django_scopes import scope, scopes_disabled
 from i18nfield.strings import LazyI18nString

 from pretix.base.email import get_email_context
-from pretix.base.models import Event, Organizer, OutgoingMail, User
+from pretix.base.models import (
+    Event, InvoiceAddress, Order, Organizer, OutgoingMail, User,
+)
 from pretix.base.services.mail import mail, mail_send_task


@@ -68,6 +73,45 @@ def env():
        yield event, user, o


+@pytest.fixture
+@scopes_disabled()
+def item(env):
+    return env[0].items.create(name="Budget Ticket", default_price=23)
+
+
+@pytest.fixture
+@scopes_disabled()
+def order(env, item):
+    event, _, _ = env
+    o = Order.objects.create(
+        code="FOO",
+        event=event,
+        email="dummy@dummy.test",
+        status=Order.STATUS_PENDING,
+        secret="k24fiuwvu8kxz3y1",
+        sales_channel=event.organizer.sales_channels.get(identifier="web"),
+        datetime=datetime.datetime(2017, 12, 1, 10, 0, 0, tzinfo=datetime.timezone.utc),
+        expires=datetime.datetime(2017, 12, 10, 10, 0, 0, tzinfo=datetime.timezone.utc),
+        total=23,
+        locale="en",
+    )
+    o.positions.create(
+        order=o,
+        item=item,
+        variation=None,
+        price=Decimal("23"),
+        attendee_email="peter@example.org",
+        attendee_name_parts={"given_name": "Peter", "family_name": "Miller"},
+        secret="z3fsn8jyufm5kpk768q69gkbyr5f4h6w",
+        pseudonymization_id="ABCDEFGHKL",
+    )
+    InvoiceAddress.objects.create(
+        order=o,
+        name_parts={"given_name": "Peter", "family_name": "Miller"},
+    )
+    return o
+
+
@pytest.mark.django_db
 def test_send_mail_with_prefix(env):
    djmail.outbox = []
@@ -279,7 +323,7 @@ def _extract_html(mail):
 def test_placeholder_html_rendering_from_template(env):
    djmail.outbox = []
    event, user, organizer = env
-    event.name = "<strong>event & co. kg</strong>"
+    event.name = "<strong>event & co. kg</strong> {currency}"
    event.save()
    mail('dummy@dummy.dummy', '{event} Test subject', 'mailtest.txt', get_email_context(
        event=event,
@@ -288,25 +332,26 @@ def test_placeholder_html_rendering_from_template(env):

    assert len(djmail.outbox) == 1
    assert djmail.outbox[0].to == [user.email]
-    assert 'Event name: <strong>event & co. kg</strong>' in djmail.outbox[0].body
-    assert '**IBAN**: 123  \n**BIC**: 456' in djmail.outbox[0].body
-    assert '**Meta**: *Beep*' in djmail.outbox[0].body
-    assert 'Event website: [<strong>event & co. kg</strong>](https://example.org/dummy)' in djmail.outbox[0].body
-    assert 'Other website: [<strong>event & co. kg</strong>](https://example.com)' in djmail.outbox[0].body
-    assert '&lt;' not in djmail.outbox[0].body
-    assert '&amp;' not in djmail.outbox[0].body
+    # Known bug for now: These should not have HTML for the plain body, but we'll fix this safter the security release
+    assert escape('Event name: <strong>event & co. kg</strong> {currency}') in djmail.outbox[0].body
+    assert '<strong>IBAN</strong>: 123<br>\n<strong>BIC</strong>: 456' in djmail.outbox[0].body
+    assert '**Meta**: <em>Beep</em>' in djmail.outbox[0].body
+    assert escape('Event website: [<strong>event & co. kg</strong> {currency}](https://example.org/dummy)') in djmail.outbox[0].body
+    # todo: assert '&lt;' not in djmail.outbox[0].body
+    # todo: assert '&amp;' not in djmail.outbox[0].body
+    assert 'Unevaluated placeholder: {currency}' in djmail.outbox[0].body
+    assert 'EUR' not in djmail.outbox[0].body
    html = _extract_html(djmail.outbox[0])

    assert '<strong>event' not in html
-    assert 'Event name: &lt;strong&gt;event &amp; co. kg&lt;/strong&gt;' in html
+    assert 'Event name: &lt;strong&gt;event &amp; co. kg&lt;/strong&gt; {currency}' in html
    assert '<strong>IBAN</strong>: 123<br/>\n<strong>BIC</strong>: 456' in html
    assert '<strong>Meta</strong>: <em>Beep</em>' in html
+    assert 'Unevaluated placeholder: {currency}' in html
+    assert 'EUR' not in html
    assert re.search(
-        r'Event website: <a href="https://example.org/dummy" rel="noopener" style="[^"]+" target="_blank">&lt;strong&gt;event &amp; co. kg&lt;/strong&gt;</a>',
-        html
-    )
-    assert re.search(
-        r'Other website: <a href="https://example.com" rel="noopener" style="[^"]+" target="_blank">&lt;strong&gt;event &amp; co. kg&lt;/strong&gt;</a>',
+        r'Event website: <a href="https://example.org/dummy" rel="noopener" style="[^"]+" target="_blank">'
+        r'&lt;strong&gt;event &amp; co. kg&lt;/strong&gt; {currency}</a>',
        html
    )

@@ -324,7 +369,7 @@ def test_placeholder_html_rendering_from_string(env):
    })
    djmail.outbox = []
    event, user, organizer = env
-    event.name = "<strong>event & co. kg</strong>"
+    event.name = "<strong>event & co. kg</strong> {currency}"
    event.save()
    ctx = get_email_context(
        event=event,
@@ -335,9 +380,9 @@ def test_placeholder_html_rendering_from_string(env):

    assert len(djmail.outbox) == 1
    assert djmail.outbox[0].to == [user.email]
-    assert 'Event name: <strong>event & co. kg</strong>' in djmail.outbox[0].body
-    assert 'Event website: [<strong>event & co. kg</strong>](https://example.org/dummy)' in djmail.outbox[0].body
-    assert 'Other website: [<strong>event & co. kg</strong>](https://example.com)' in djmail.outbox[0].body
+    assert 'Event name: <strong>event & co. kg</strong> {currency}' in djmail.outbox[0].body
+    assert 'Event website: [<strong>event & co. kg</strong> {currency}](https://example.org/dummy)' in djmail.outbox[0].body
+    assert 'Other website: [<strong>event & co. kg</strong> {currency}](https://example.com)' in djmail.outbox[0].body
    assert '**IBAN**: 123  \n**BIC**: 456' in djmail.outbox[0].body
    assert '**Meta**: *Beep*' in djmail.outbox[0].body
    assert 'URL: https://google.com' in djmail.outbox[0].body
@@ -352,11 +397,13 @@ def test_placeholder_html_rendering_from_string(env):
    assert '<strong>IBAN</strong>: 123<br/>\n<strong>BIC</strong>: 456' in html
    assert '<strong>Meta</strong>: <em>Beep</em>' in html
    assert re.search(
-        r'Event website: <a href="https://example.org/dummy" rel="noopener" style="[^"]+" target="_blank">&lt;strong&gt;event &amp; co. kg&lt;/strong&gt;</a>',
+        r'Event website: <a href="https://example.org/dummy" rel="noopener" style="[^"]+" target="_blank">'
+        r'&lt;strong&gt;event &amp; co. kg&lt;/strong&gt; {currency}</a>',
        html
    )
    assert re.search(
-        r'Other website: <a href="https://example.com" rel="noopener" style="[^"]+" target="_blank">&lt;strong&gt;event &amp; co. kg&lt;/strong&gt;</a>',
+        r'Other website: <a href="https://example.com" rel="noopener" style="[^"]+" target="_blank">'
+        r'&lt;strong&gt;event &amp; co. kg&lt;/strong&gt; {currency}</a>',
        html
    )
    assert re.search(
@@ -377,3 +424,141 @@ def test_placeholder_html_rendering_from_string(env):
        r'style="[^"]+" target="_blank">Link &amp; Text</a>',
        html
    )
+
+
+@pytest.mark.django_db
+def test_nested_placeholder_inclusion_full_process(env, order):
+    # Test that it is not possible to sneak in a placeholder like {url_cancel} inside a user-controlled
+    # placeholder value like {invoice_company}
+    event, user, organizer = env
+    position = order.positions.get()
+    order.invoice_address.company = "{url_cancel} Corp"
+    order.invoice_address.save()
+    event.settings.mail_text_resend_link = LazyI18nString({"en": "Ticket for {invoice_company}"})
+    event.settings.mail_subject_resend_link_attendee = LazyI18nString({"en": "Ticket for {invoice_company}"})
+
+    djmail.outbox = []
+    position.resend_link()
+    assert len(djmail.outbox) == 1
+    assert djmail.outbox[0].to == [position.attendee_email]
+    assert "Ticket for {url_cancel} Corp" == djmail.outbox[0].subject
+    assert "/cancel" not in djmail.outbox[0].body
+    assert "/order" not in djmail.outbox[0].body
+    html, plain = _extract_html(djmail.outbox[0]), djmail.outbox[0].body
+    for part in (html, plain):
+        assert "Ticket for {url_cancel} Corp" in part
+        assert "/order/" not in part
+        assert "/cancel" not in part
+
+
+@pytest.mark.django_db
+def test_nested_placeholder_inclusion_mail_service(env):
+    # test that it is not possible to have placeholders within the values of placeholders when
+    # the mail() function is called directly
+    template = LazyI18nString("Event name: {event}")
+    djmail.outbox = []
+    event, user, organizer = env
+    event.name = "event & {currency} co. kg"
+    event.slug = "event-co-ag-slug"
+    event.save()
+
+    mail(
+        "dummy@dummy.dummy",
+        "{event} Test subject",
+        template,
+        get_email_context(
+            event=event,
+            payment_info="**IBAN**: 123  \n**BIC**: 456 {event}",
+        ),
+        event,
+    )
+
+    assert len(djmail.outbox) == 1
+    assert djmail.outbox[0].to == [user.email]
+    html, plain = _extract_html(djmail.outbox[0]), djmail.outbox[0].body
+    for part in (html, plain, djmail.outbox[0].subject):
+        assert "event & {currency} co. kg" in part or "event &amp; {currency} co. kg" in part
+        assert "EUR" not in part
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("tpl", [
+    "Event: {event.__class__}",
+    "Event: {{event.__class__}}",
+    "Event: {{{event.__class__}}}",
+])
+def test_variable_inclusion_from_string_full_process(env, tpl, order):
+    # Test that it is not possible to use placeholders that leak system information in templates
+    # when run through system processes
+    event, user, organizer = env
+    event.name = "event & co. kg"
+    event.save()
+    position = order.positions.get()
+    event.settings.mail_text_resend_link = LazyI18nString({"en": tpl})
+    event.settings.mail_subject_resend_link_attendee = LazyI18nString({"en": tpl})
+
+    position.resend_link()
+    assert len(djmail.outbox) == 1
+    html, plain = _extract_html(djmail.outbox[0]), djmail.outbox[0].body
+    for part in (html, plain, djmail.outbox[0].subject):
+        assert "{event.__class__}" in part
+        assert "LazyI18nString" not in part
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("tpl", [
+    "Event: {event.__class__}",
+    "Event: {{event.__class__}}",
+    "Event: {{{event.__class__}}}",
+])
+def test_variable_inclusion_from_string_mail_service(env, tpl):
+    # Test that it is not possible to use placeholders that leak system information in templates
+    # when run through mail() directly
+    event, user, organizer = env
+    event.name = "event & co. kg"
+    event.save()
+
+    djmail.outbox = []
+    mail(
+        "dummy@dummy.dummy",
+        tpl,
+        LazyI18nString(tpl),
+        get_email_context(
+            event=event,
+            payment_info="**IBAN**: 123  \n**BIC**: 456\n" + tpl,
+        ),
+        event,
+    )
+    assert len(djmail.outbox) == 1
+    html, plain = _extract_html(djmail.outbox[0]), djmail.outbox[0].body
+    for part in (html, plain, djmail.outbox[0].subject):
+        assert "{event.__class__}" in part
+        assert "LazyI18nString" not in part
+
+
+@pytest.mark.django_db
+def test_escaped_braces_mail_services(env):
+    # Test that braces can be escaped by doubling
+    template = LazyI18nString("Event name: -{{currency}}-")
+    djmail.outbox = []
+    event, user, organizer = env
+    event.name = "event & co. kg"
+    event.save()
+
+    mail(
+        "dummy@dummy.dummy",
+        "-{{currency}}- Test subject",
+        template,
+        get_email_context(
+            event=event,
+            payment_info="**IBAN**: 123  \n**BIC**: 456 {event}",
+        ),
+        event,
+    )
+
+    assert len(djmail.outbox) == 1
+    assert djmail.outbox[0].to == [user.email]
+    html, plain = _extract_html(djmail.outbox[0]), djmail.outbox[0].body
+    for part in (html, plain, djmail.outbox[0].subject):
+        assert "EUR" not in part
+        assert "-{currency}-" in part
--- a/src/tests/base/test_modelimport_vouchers.py
+++ b/src/tests/base/test_modelimport_vouchers.py
@@ -170,7 +170,7 @@ def test_price_mode_validation(event, item, user):
        import_vouchers.apply(
            args=(event.pk, inputfile_factory().id, settings, 'en', user.pk)
        ).get()
-    assert 'It is pointless to set a value without a price mode.' in str(excinfo.value)
+    assert 'It is pointless to set a value without a price effect.' in str(excinfo.value)

    settings['price_mode'] = 'static:percent'
    import_vouchers.apply(
--- a/src/tests/control/test_user.py
+++ b/src/tests/control/test_user.py
@@ -339,13 +339,17 @@ class UserSettings2FATest(SoupTest):

    def test_gen_emergency(self):
        self.client.get('/control/settings/2fa/')
+        assert not StaticDevice.objects.filter(user=self.user, name='emergency').exists()
+
+        self.client.post('/control/settings/2fa/regenemergency')
        d = StaticDevice.objects.get(user=self.user, name='emergency')
        assert d.token_set.count() == 10
        old_tokens = set(t.token for t in d.token_set.all())
+
        self.client.post('/control/settings/2fa/regenemergency')
-        new_tokens = set(t.token for t in d.token_set.all())
        d = StaticDevice.objects.get(user=self.user, name='emergency')
        assert d.token_set.count() == 10
+        new_tokens = set(t.token for t in d.token_set.all())
        assert old_tokens != new_tokens

    def test_delete_u2f(self):
--- a/src/tests/helpers/test_format.py
+++ b/src/tests/helpers/test_format.py
@@ -29,6 +29,8 @@ def test_format_map():
    assert format_map("Foo {baz}", {"bar": 3}) == "Foo {baz}"
    assert format_map("Foo {bar.__module__}", {"bar": 3}) == "Foo {bar.__module__}"
    assert format_map("Foo {bar!s}", {"bar": 3}) == "Foo 3"
+    assert format_map("Foo {bar!r}", {"bar": '3'}) == "Foo 3"
+    assert format_map("Foo {bar!a}", {"bar": '3'}) == "Foo 3"
    assert format_map("Foo {bar:<20}", {"bar": 3}) == "Foo 3"


--- a/src/tests/templates/mailtest.txt
+++ b/src/tests/templates/mailtest.txt
@@ -1,13 +1,13 @@
 {% load i18n %}
 This is a test file for sending mails.
-Event name: {event}
+Event name: {{ event }}
+Unevaluated placeholder: {currency}
 {% get_current_language as LANGUAGE_CODE %}
 The language code used for rendering this email is {{ LANGUAGE_CODE }}.

 Payment info:
-{payment_info}
+{{ payment_info }}

-**Meta**: {meta_Test}
+**Meta**: {{ meta_Test }}

-Event website: [{event}](https://example.org/{event_slug})
-Other website: [{event}]({meta_Website})
+Event website: [{{event}}](https://example.org/{{event_slug}})
Author	SHA1	Message	Date
Martin Gross	582b8d815e	PPv2: Handle payment execution/capture calls properly even if no captures are present yet.	2026-02-19 17:45:52 +01:00
Martin Gross	3d53c03906	Stripe: isort	2026-02-19 14:43:27 +01:00
Martin Gross	59d1d2cb16	Stripe: Add Wero as a hidden payment method (private beta; requires MoR)	2026-02-19 14:40:01 +01:00
luelista	7e45837295	Security hardening for 2FA configuration (#5685 ) * reduce default RecentAuthenticationRequiredMixin timeout to 15 min * never cache pages with RecentAuthenticationRequiredMixin * show emergency codes only once after generating	2026-02-19 12:43:23 +01:00
Lukas Bockstaller	fd9ed15065	include acceptor slug in log/webhook event (#5906 )	2026-02-19 10:00:11 +01:00
Richard Schreiber	2df3d9206b	Add voucher tag to orderlist positions export	2026-02-19 09:42:00 +01:00
Kian Cross	fbd8bbbeaa	Disable partitioned cookies for Safari due to WebKit bugs (#5843 ) Safari currently exhibits a bug where Partitioned cookies (CHIPS) are not sent back to the originating site after multi-hop cross-site redirects, breaking SSO login flows in pretix. Partitioned cookies were initially introduced in Safari 18.4, removed again in 18.5 due to a bug, and reintroduced in Safari 26.2, where the current issue is present. As a mitigation, disable sending the `Partitioned` attribute for Safari user agents. This is intentionally conservative; once the Safari issue is fixed, this check should be refined to be conditional on the affected versions only. WebKit issues: - https://bugs.webkit.org/show_bug.cgi?id=292975 - https://bugs.webkit.org/show_bug.cgi?id=306194	2026-02-18 09:19:14 +01:00
Kara Engelhardt	1c305e4b30	Store failed offline checkin if successful online checkin with same nonce exists	2026-02-17 10:41:05 +01:00
KarlKeu00	ea114b4f64	Fix HTML closing tags in pending.html (#5893 )	2026-02-17 10:20:28 +01:00
dependabot[bot]	0342613635	Update fakeredis requirement from ==2.33.* to ==2.34.* (#5899 ) Updates the requirements on [fakeredis](https://github.com/cunla/fakeredis-py) to permit the latest version. - [Release notes](https://github.com/cunla/fakeredis-py/releases) - [Commits](https://github.com/cunla/fakeredis-py/compare/v2.33.0...v2.34.0) --- updated-dependencies: - dependency-name: fakeredis dependency-version: 2.34.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-02-17 10:16:35 +01:00
dependabot[bot]	743c4b796b	Update sentry-sdk requirement from ==2.52.* to ==2.53.* (#5898 ) Updates the requirements on [sentry-sdk](https://github.com/getsentry/sentry-python) to permit the latest version. - [Release notes](https://github.com/getsentry/sentry-python/releases) - [Changelog](https://github.com/getsentry/sentry-python/blob/master/CHANGELOG.md) - [Commits](https://github.com/getsentry/sentry-python/compare/2.52.0a1...2.53.0) --- updated-dependencies: - dependency-name: sentry-sdk dependency-version: 2.53.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-02-17 10:16:27 +01:00
Raphael Michel	8a7f54795e	Vouchers: Fix field label inconsistency (Z#23222887) (#5902 ) The field Voucher.price_mode is sometimes called "Price mode" and sometimes "Price effect" in the UI, which is inconsistent. I think "price effect" is a little clearer, but I don't really care as long as it is consistent.	2026-02-17 10:16:12 +01:00
Raphael Michel	cb464ad597	Remove back link from 404 error page (#23222967 ) (#5901 ) I've kept it for 400/403/500/csrffail for now, because they also have a "try again" link. Yes, both things have browser buttons, but they make it a little clearer to technical users what one could to next, and especially on csrffail, "step back" is always possible and possibly actually helpful.	2026-02-17 10:16:05 +01:00
Raphael Michel	119cc50897	Fix inconsistent singular/plural use in text (Z#23223585)	2026-02-17 09:31:08 +01:00
Raphael Michel	61f9cf13b4	Order change: Fix list of unchangeable add-ons not filtered to category (Z#23223330) (#5876 )	2026-02-16 15:13:24 +01:00
Raphael Michel	f24429a7c5	Fix tests on Python <3.11	2026-02-16 13:40:00 +01:00
Raphael Michel	29ed07ccce	Merge branch 'pajowu/security-plaintext-placeholder' into 'master' SECURITY: Prevent placeholder injection in plaintext emails See merge request pretix/pretix!21	2026-02-16 10:59:44 +01:00
Nate Horst	dd0cd7ab0b	Translations: Update Thai Currently translated at 36.0% (2237 of 6207 strings) Translation: pretix/pretix Translate-URL: https://translate.pretix.eu/projects/pretix/pretix/th/ powered by weblate	2026-02-16 10:44:21 +01:00
Nate Horst	d7df906995	Translations: Update Thai Currently translated at 36.0% (2237 of 6207 strings) Translation: pretix/pretix Translate-URL: https://translate.pretix.eu/projects/pretix/pretix/th/ powered by weblate	2026-02-16 10:44:21 +01:00
Ruud Hendrickx	839f4b4657	Translations: Update Dutch (Belgium) Currently translated at 0.1% (12 of 6207 strings) Translation: pretix/pretix Translate-URL: https://translate.pretix.eu/projects/pretix/pretix/nl_BE/ powered by weblate	2026-02-16 10:44:21 +01:00
Ruud Hendrickx	74f7e1f61c	Translations: Add Dutch (Belgium)	2026-02-16 10:44:21 +01:00
Yasunobu YesNo Kawaguchi	47919afab0	Translations: Update Japanese Currently translated at 100.0% (256 of 256 strings) Translation: pretix/pretix (JavaScript parts) Translate-URL: https://translate.pretix.eu/projects/pretix/pretix-js/ja/ powered by weblate	2026-02-16 10:44:21 +01:00
Yasunobu YesNo Kawaguchi	819daa99f7	Translations: Update Japanese Currently translated at 100.0% (6207 of 6207 strings) Translation: pretix/pretix Translate-URL: https://translate.pretix.eu/projects/pretix/pretix/ja/ powered by weblate	2026-02-16 10:44:21 +01:00
Ruud Hendrickx	8512e79d68	Translations: Update Dutch (informal) (nl_Informal) Currently translated at 100.0% (6207 of 6207 strings) Translation: pretix/pretix Translate-URL: https://translate.pretix.eu/projects/pretix/pretix/nl_Informal/ powered by weblate	2026-02-16 10:44:21 +01:00
Ruud Hendrickx	52672ae25b	Translations: Update Dutch Currently translated at 100.0% (6207 of 6207 strings) Translation: pretix/pretix Translate-URL: https://translate.pretix.eu/projects/pretix/pretix/nl/ powered by weblate	2026-02-16 10:44:21 +01:00
Raphael Michel	ad752dc617	Fix placeholder injection with django templates	2026-02-13 13:36:12 +01:00
Raphael Michel	43c6c33bd8	SafeFormatter: Ignore conversion spec	2026-02-13 12:35:49 +01:00
Raphael Michel	88c9f8c047	Remove duplicate rendering of plain content without variables	2026-02-13 12:30:01 +01:00
Raphael Michel	2d2663f15f	Mark strings as formatted to prevent double-formatting	2026-02-13 12:28:32 +01:00
Kara Engelhardt	ae6014708b	SECURITY: Prevent placeholder injcetion in plaintext emails	2026-02-13 12:28:32 +01:00
Richard Schreiber	d1686df07c	Move request.GET.items to ctx (#5889 )	2026-02-12 12:05:08 +01:00
Richard Schreiber	4d60d7bfbc	Fix widget quantity prefill (#5886 )	2026-02-12 12:04:11 +01:00
Phin Wolkwitz	c0b93fedc5	Hide company name field in order info for individual customers (Z#23212149, Z#23216249) (#5887 )	2026-02-11 16:15:23 +01:00