#22267: django.utils.html.smart_urlquote() is incorrectly unquoting the url ---------------------------------+------------------------------------ Reporter: meenzam@… | Owner: nobody Type: Bug | Status: new Component: Template system | Version: master Severity: Normal | Resolution: Keywords: | Triage Stage: Accepted Has patch: 0 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 ---------------------------------+------------------------------------ Changes (by erikr):
* needs_better_patch: => 0 * version: 1.5 => master * needs_tests: => 0 * needs_docs: => 0 * stage: Unreviewed => Accepted Comment: It would seem the purpose of its current implementation is that a URL which is already quoted is not quoted again, but an unquoted URL will be quoted. The context in which this is applied, is django.utils.html.urlize. This was added in #9655 (https://github.com/django/django/commit/e3a7bfccbb83712caf0645e4e33f5c03d9dc462b), although at that time with a little more code than it's current version. The characters you are expecting to be escaped are currently marked as safe. Otherwise, even `http://example.com?q=` would already have the URL encoding applied to it. At first sight, a solution seems to be to make `smart_urlquote` even smarter, and only consider the currently listed characters safe if they are not within a URL parameter themselves. I agree that this is a bug after all. -- Ticket URL: <https://code.djangoproject.com/ticket/22267#comment:1> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/075.d8b8dfe1c4e27f49a0e6ebb271696af3%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.