From 9baccbce5e7267316fbe821129f96fff2678d0ea Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 20 Aug 2025 18:53:54 +0000 Subject: [PATCH] reminders: Stop interpolating user-provided values in format string. We must not intermix Markdown strings which are ready for the message, with format strings which we intend to interpolate on. (cherry picked from commit 575dd10f996b48d1605173e8d273f606468dd3ea) --- zerver/lib/reminders.py | 7 ++++--- zerver/tests/test_reminders.py | 17 +++++++++++++++++ 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/zerver/lib/reminders.py b/zerver/lib/reminders.py index 78c952519e..82b9df68cc 100644 --- a/zerver/lib/reminders.py +++ b/zerver/lib/reminders.py @@ -88,11 +88,12 @@ def get_reminder_formatted_content( content += "\n" fence = get_unused_fence(content) quoted_message = "{fence}quote\n{msg_content}\n{fence}" - content += quoted_message - length_without_message_content = len(content.format(fence=fence, msg_content="")) + length_without_message_content = len( + content + quoted_message.format(fence=fence, msg_content="") + ) max_length = settings.MAX_MESSAGE_LENGTH - length_without_message_content msg_content = truncate_content(message.content, max_length, "\n[message truncated]") - content = content.format( + content += quoted_message.format( fence=fence, msg_content=msg_content, ) diff --git a/zerver/tests/test_reminders.py b/zerver/tests/test_reminders.py index 0d4613ac15..7b22b3334b 100644 --- a/zerver/tests/test_reminders.py +++ b/zerver/tests/test_reminders.py @@ -463,3 +463,20 @@ class RemindersTest(ZulipTestCase): f"Maximum reminder note length: {len(note) - 1} characters", status_code=400, ) + + # Test with note containing formatting characters + note = "{123}" + content = "{456}" + message_id = self.send_stream_message( + self.example_user("hamlet"), "Verona", content, topic_name="{789}" + ) + result = self.do_schedule_reminder(message_id, scheduled_delivery_timestamp, note) + self.assert_json_success(result) + scheduled_message = self.last_scheduled_reminder() + self.assertEqual( + scheduled_message.content, + "You requested a reminder for #**Verona>{789}@" + + str(message_id) + + "**. Note:\n > {123}\n\n" + f"@_**King Hamlet|10** [said](http://zulip.testserver/#narrow/channel/3-Verona/topic/.7B789.7D/near/{message_id}):\n```quote\n{content}\n```", + )