reminders: Stop interpolating user-provided values in format string.

We must not intermix Markdown strings which are ready for the message, with format strings which we intend to interpolate on. (cherry picked from commit 575dd10f99)
2025-11-03 13:33:24 +00:00 · 2025-08-20 18:53:54 +00:00
parent 14199cdb62
commit 9baccbce5e
2 changed files with 21 additions and 3 deletions
--- a/zerver/lib/reminders.py
+++ b/zerver/lib/reminders.py
@@ -88,11 +88,12 @@ def get_reminder_formatted_content(
        content += "\n"
        fence = get_unused_fence(content)
        quoted_message = "{fence}quote\n{msg_content}\n{fence}"
-        content += quoted_message
-        length_without_message_content = len(content.format(fence=fence, msg_content=""))
+        length_without_message_content = len(
+            content + quoted_message.format(fence=fence, msg_content="")
+        )
        max_length = settings.MAX_MESSAGE_LENGTH - length_without_message_content
        msg_content = truncate_content(message.content, max_length, "\n[message truncated]")
-        content = content.format(
+        content += quoted_message.format(
            fence=fence,
            msg_content=msg_content,
        )
--- a/zerver/tests/test_reminders.py
+++ b/zerver/tests/test_reminders.py
@@ -463,3 +463,20 @@ class RemindersTest(ZulipTestCase):
                f"Maximum reminder note length: {len(note) - 1} characters",
                status_code=400,
            )
+
+        # Test with note containing formatting characters
+        note = "{123}"
+        content = "{456}"
+        message_id = self.send_stream_message(
+            self.example_user("hamlet"), "Verona", content, topic_name="{789}"
+        )
+        result = self.do_schedule_reminder(message_id, scheduled_delivery_timestamp, note)
+        self.assert_json_success(result)
+        scheduled_message = self.last_scheduled_reminder()
+        self.assertEqual(
+            scheduled_message.content,
+            "You requested a reminder for #**Verona>{789}@"
+            + str(message_id)
+            + "**. Note:\n > {123}\n\n"
+            f"@_**King Hamlet|10** [said](http://zulip.testserver/#narrow/channel/3-Verona/topic/.7B789.7D/near/{message_id}):\n```quote\n{content}\n```",
+        )