[Django] #30043: AdminURLFieldWidget incorrectly unquotes URLs e.g. containing %2F

Sat, 15 Dec 2018 17:15:02 -0800 

#30043: AdminURLFieldWidget incorrectly unquotes URLs e.g. containing %2F
-------------------------------------+-------------------------------------
               Reporter:  Brenton    |          Owner:  nobody
  Partridge                          |
                   Type:  Bug        |         Status:  new
              Component:             |        Version:  master
  contrib.admin                      |       Keywords:  admin, urlfield,
               Severity:  Normal     |  smart_urlquote, url, quote
           Triage Stage:             |      Has patch:  0
  Unreviewed                         |
    Needs documentation:  0          |    Needs tests:  0
Patch needs improvement:  0          |  Easy pickings:  0
                  UI/UX:  0          |
-------------------------------------+-------------------------------------
 Intended behavior: If a URLField is used in the Django admin, and the
 currently saved URL in the database contains the escape %2F, the href of
 the rendered link should contain that escape verbatim (e.g. %2F, not a /
 in that location).

 Current behavior (master branch, Python 3.7.0): The href of the rendered
 link contains a / in that location, creating an extra portion of the path
 and, when clicked, sending the admin user to a completely different and
 unintended URL.

 Root cause:
 
https://github.com/django/django/blob/315357ad25a6590e7f4564ec2e56a22132b09001/django/contrib/admin/widgets.py#L340
 uses `smart_urlquote` to set the href (subsequently read by
 
https://github.com/django/django/blob/master/django/contrib/admin/templates/admin/widgets/url.html
 ).

 smart_urlquote (as implemented here:
 
https://github.com/django/django/blob/315357ad25a6590e7f4564ec2e56a22132b09001/django/utils/html.py#L203
 ) has caused problems before e.g.
 https://code.djangoproject.com/ticket/28123 . That issue, though, refers
 to a backport, whereas this behavior is broken on the master branch in
 Python 3.

 One fix would be to not use smart_urlquote, and just ensure that the href
 is set to the exact same value as initially shown in the input field and
 rendered as the text of the <a> tag. Is there a reason why smart_urlquote
 was used in the first place, though?

 I'm happy to submit a patch and test case if this is a desired fix.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/30043>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/053.1aa1977895d68a91d998854a16a8a770%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to