reminders: Stop interpolating user-provided values in format string.

We must not intermix Markdown strings which are ready for the message, with format strings which we intend to interpolate on.
2025-10-23 04:52:12 +00:00 · 2025-08-20 18:53:54 +00:00
parent 1caff10df7
commit 575dd10f99
2 changed files with 21 additions and 3 deletions
--- a/zerver/lib/reminders.py
+++ b/zerver/lib/reminders.py
@@ -88,11 +88,12 @@ def get_reminder_formatted_content(
        content += "\n"
        fence = get_unused_fence(content)
        quoted_message = "{fence}quote\n{msg_content}\n{fence}"
-        content += quoted_message
-        length_without_message_content = len(content.format(fence=fence, msg_content=""))
+        length_without_message_content = len(
+            content + quoted_message.format(fence=fence, msg_content="")
+        )
        max_length = settings.MAX_MESSAGE_LENGTH - length_without_message_content
        msg_content = truncate_content(message.content, max_length, "\n[message truncated]")
-        content = content.format(
+        content += quoted_message.format(
            fence=fence,
            msg_content=msg_content,
        )
--- a/zerver/tests/test_reminders.py
+++ b/zerver/tests/test_reminders.py
@@ -463,3 +463,20 @@ class RemindersTest(ZulipTestCase):
                f"Maximum reminder note length: {len(note) - 1} characters",
                status_code=400,
            )
+
+        # Test with note containing formatting characters
+        note = "{123}"
+        content = "{456}"
+        message_id = self.send_stream_message(
+            self.example_user("hamlet"), "Verona", content, topic_name="{789}"
+        )
+        result = self.do_schedule_reminder(message_id, scheduled_delivery_timestamp, note)
+        self.assert_json_success(result)
+        scheduled_message = self.last_scheduled_reminder()
+        self.assertEqual(
+            scheduled_message.content,
+            "You requested a reminder for #**Verona>{789}@"
+            + str(message_id)
+            + "**. Note:\n > {123}\n\n"
+            f"@_**King Hamlet|10** [said](http://zulip.testserver/#narrow/channel/3-Verona/topic/.7B789.7D/near/{message_id}):\n```quote\n{content}\n```",
+        )