Escaping update

Update escaping
Apply suggestions from code review
2025-12-24 17:12:27 +00:00 · 2025-12-19 15:59:05 +01:00 · 2025-12-19 15:43:05 +01:00 · 2025-12-19 15:21:32 +01:00 · 2025-12-19 11:49:16 +01:00
3 changed files with 32 additions and 9 deletions
--- a/src/pretix/base/services/placeholders.py
+++ b/src/pretix/base/services/placeholders.py
@@ -801,7 +801,11 @@ def get_sample_context(event, context_parameters, rich=True):
        sample = v.render_sample(event)
        if isinstance(sample, PlainHtmlAlternativeString):
            context_dict[k] = PlainHtmlAlternativeString(
-                sample.plain,
+                '<{el} class="placeholder" title="{title}">{plain}</{el}>'.format(
+                    el='span',
+                    title=lbl,
+                    plain=escape(sample.plain),
+                ),
                '<{el} class="placeholder placeholder-html" title="{title}">{html}</{el}>'.format(
                    el='div' if sample.is_block else 'span',
                    title=lbl,
--- a/src/pretix/control/forms/event.py
+++ b/src/pretix/control/forms/event.py
@@ -45,7 +45,7 @@ from django.core.exceptions import NON_FIELD_ERRORS, ValidationError
 from django.db.models import Prefetch, Q, prefetch_related_objects
 from django.forms import formset_factory, inlineformset_factory
 from django.urls import reverse
-from django.utils.functional import cached_property
+from django.utils.functional import cached_property, lazy
 from django.utils.html import escape, format_html
 from django.utils.safestring import mark_safe
 from django.utils.timezone import get_current_timezone_name
@@ -53,7 +53,7 @@ from django.utils.translation import gettext, gettext_lazy as _, pgettext_lazy
 from django_countries.fields import LazyTypedChoiceField
 from django_scopes.forms import SafeModelMultipleChoiceField
 from i18nfield.forms import (
-    I18nForm, I18nFormField, I18nFormSetMixin, I18nTextInput,
+    I18nForm, I18nFormField, I18nFormSetMixin, I18nTextarea, I18nTextInput,
 )
 from pytz import common_timezones

@@ -1311,9 +1311,17 @@ class MailSettingsForm(FormPlaceholderMixin, SettingsForm):
    mail_text_order_invoice = I18nFormField(
        label=_("Text"),
        required=False,
-        widget=I18nMarkdownTextarea,
-        help_text=_("This will only be used if the invoice is sent to a different email address or at a different time "
-                    "than the order confirmation."),
+        widget=I18nTextarea,  # no Markdown supported
+        help_text=lazy(
+            lambda: str(_(
+                "This will only be used if the invoice is sent to a different email address or at a different time "
+                "than the order confirmation."
+            )) + " " + str(_(
+                "Formatting is not supported, as some accounting departments process mail automatically and do not "
+                "handle formatted emails properly."
+            )),
+            str
+        )()
    )
    mail_subject_download_reminder = I18nFormField(
        label=_("Subject sent to order contact address"),
@@ -1481,6 +1489,9 @@ class MailSettingsForm(FormPlaceholderMixin, SettingsForm):
        'mail_subject_resend_all_links': ['event', 'orders'],
        'mail_attach_ical_description': ['event', 'event_or_subevent'],
    }
+    plain_rendering = {
+        'mail_text_order_invoice',
+    }

    def __init__(self, *args, **kwargs):
        self.event = event = kwargs.get('obj')
@@ -1499,7 +1510,7 @@ class MailSettingsForm(FormPlaceholderMixin, SettingsForm):
        self.event.meta_values_cached = self.event.meta_values.select_related('property').all()

        for k, v in self.base_context.items():
-            self._set_field_placeholders(k, v, rich=k.startswith('mail_text_'))
+            self._set_field_placeholders(k, v, rich=k.startswith('mail_text_') and k not in self.plain_rendering)

        for k, v in list(self.fields.items()):
            if k.endswith('_attendee') and not event.settings.attendee_emails_asked:
--- a/src/pretix/control/views/event.py
+++ b/src/pretix/control/views/event.py
@@ -829,8 +829,8 @@ class MailSettingsPreview(EventPermissionRequiredMixin, View):
        return locales

    # get all supported placeholders with dummy values
-    def placeholders(self, item):
-        return get_sample_context(self.request.event, MailSettingsForm.base_context[item])
+    def placeholders(self, item, rich=True):
+        return get_sample_context(self.request.event, MailSettingsForm.base_context[item], rich=rich)

    def post(self, request, *args, **kwargs):
        preview_item = request.POST.get('item', '')
@@ -851,6 +851,14 @@ class MailSettingsPreview(EventPermissionRequiredMixin, View):
                                msgs[self.supported_locale[idx]] = prefix_subject(self.request.event, format_map(
                                    bleach.clean(v), self.placeholders(preview_item), raise_on_missing=True
                                ), highlight=True)
+                            elif preview_item in MailSettingsForm.plain_rendering:
+                                msgs[self.supported_locale[idx]] = mark_safe(
+                                    format_map(
+                                        conditional_escape(v),
+                                        self.placeholders(preview_item, rich=False),
+                                        raise_on_missing=True
+                                    ).replace("\n", "<br />")
+                                )
                            else:
                                placeholders = self.placeholders(preview_item)
                                msgs[self.supported_locale[idx]] = format_map(
Author	SHA1	Message	Date
Raphael Michel	22d6426c3e	Escaping update	2025-12-19 15:59:05 +01:00
Raphael Michel	61b398949e	Update escaping	2025-12-19 15:43:05 +01:00
Raphael Michel	d0a1fcfb12	Apply suggestions from code review Co-authored-by: luelista <weller@rami.io>	2025-12-19 15:21:32 +01:00
Raphael Michel	a9edf2ef8a	Mail settings: Correctly declare plaintext email (Z#23218835)	2025-12-19 11:49:16 +01:00