From 34a7238ba5aa809d06ab5ddc7bc61ccaecd457ec Mon Sep 17 00:00:00 2001
From: Tobias Bengfort <bengfort@mpib-berlin.mpg.de>
Date: Wed, 12 Jan 2022 11:09:41 +0100
Subject: [PATCH] avoid calling .format() on user input

We also use .replace() in other places like this
---
 castellum/appointments/helpers.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/castellum/appointments/helpers.py b/castellum/appointments/helpers.py
index 54a75e1c6..4cf0137e2 100644
--- a/castellum/appointments/helpers.py
+++ b/castellum/appointments/helpers.py
@@ -122,10 +122,9 @@ def get_external_resource_events(resource, start, end):
         return []
     try:
         events = []
-        url = resource.url.format(
-            start=quote_plus(start.isoformat()),
-            end=quote_plus(end.isoformat()),
-        )
+        url = resource.url\
+            .replace('{start}', quote_plus(start.isoformat()))\
+            .replace('{end}', quote_plus(end.isoformat()))
         text = cached_request(url, timeout=60)
         for event in icalparser.parse_events(text, start=start, end=end):
             events.append({
-- 
GitLab