#30043: AdminURLFieldWidget incorrectly unquotes URLs e.g. containing %2F -------------------------------------+------------------------------------- Reporter: Brenton | Owner: nobody Partridge | Type: Bug | Status: new Component: | Version: master contrib.admin | Keywords: admin, urlfield, Severity: Normal | smart_urlquote, url, quote Triage Stage: | Has patch: 0 Unreviewed | Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | -------------------------------------+------------------------------------- Intended behavior: If a URLField is used in the Django admin, and the currently saved URL in the database contains the escape %2F, the href of the rendered link should contain that escape verbatim (e.g. %2F, not a / in that location).
Current behavior (master branch, Python 3.7.0): The href of the rendered link contains a / in that location, creating an extra portion of the path and, when clicked, sending the admin user to a completely different and unintended URL. Root cause: https://github.com/django/django/blob/315357ad25a6590e7f4564ec2e56a22132b09001/django/contrib/admin/widgets.py#L340 uses `smart_urlquote` to set the href (subsequently read by https://github.com/django/django/blob/master/django/contrib/admin/templates/admin/widgets/url.html ). smart_urlquote (as implemented here: https://github.com/django/django/blob/315357ad25a6590e7f4564ec2e56a22132b09001/django/utils/html.py#L203 ) has caused problems before e.g. https://code.djangoproject.com/ticket/28123 . That issue, though, refers to a backport, whereas this behavior is broken on the master branch in Python 3. One fix would be to not use smart_urlquote, and just ensure that the href is set to the exact same value as initially shown in the input field and rendered as the text of the <a> tag. Is there a reason why smart_urlquote was used in the first place, though? I'm happy to submit a patch and test case if this is a desired fix. -- Ticket URL: <https://code.djangoproject.com/ticket/30043> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/053.1aa1977895d68a91d998854a16a8a770%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.