Re: [Django] #22267: django.utils.html.smart_urlquote() is incorrectly unquoting the url

Thu, 13 Mar 2014 03:43:34 -0700 

#22267: django.utils.html.smart_urlquote() is incorrectly unquoting the url
---------------------------------+------------------------------------
     Reporter:  meenzam@…        |                    Owner:  nobody
         Type:  Bug              |                   Status:  new
    Component:  Template system  |                  Version:  master
     Severity:  Normal           |               Resolution:
     Keywords:                   |             Triage Stage:  Accepted
    Has patch:  0                |      Needs documentation:  0
  Needs tests:  0                |  Patch needs improvement:  0
Easy pickings:  0                |                    UI/UX:  0
---------------------------------+------------------------------------
Changes (by erikr):

 * needs_better_patch:   => 0
 * version:  1.5 => master
 * needs_tests:   => 0
 * needs_docs:   => 0
 * stage:  Unreviewed => Accepted


Comment:

 It would seem the purpose of its current implementation is that a URL
 which is already quoted is not quoted again, but an unquoted URL will be
 quoted. The context in which this is applied, is django.utils.html.urlize.
 This was added in #9655
 
(https://github.com/django/django/commit/e3a7bfccbb83712caf0645e4e33f5c03d9dc462b),
 although at that time with a little more code than it's current version.

 The characters you are expecting to be escaped are currently marked as
 safe. Otherwise, even `http://example.com?q=` would already have the URL
 encoding applied to it. At first sight, a solution seems to be to make
 `smart_urlquote` even smarter, and only consider the currently listed
 characters safe if they are not within a URL parameter themselves. I agree
 that this is a bug after all.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/22267#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/075.d8b8dfe1c4e27f49a0e6ebb271696af3%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to