Re: [Django] #9655: urlize should not quote already quoted urls.

Wed, 13 May 2009 07:01:34 -0700 

#9655: urlize should not quote already quoted urls.
---------------------------------------------+------------------------------
          Reporter:  flytwokites             |         Owner:  nobody
            Status:  reopened                |     Milestone:        
         Component:  Template system         |       Version:  1.0   
        Resolution:                          |      Keywords:  urlize
             Stage:  Design decision needed  |     Has_patch:  0     
        Needs_docs:  0                       |   Needs_tests:  0     
Needs_better_patch:  0                       |  
---------------------------------------------+------------------------------
Changes (by Christopher Lenz <cml...@gmx.de>):

 * cc: cml...@gmx.de (added)

Comment:

 I just came across this bug in a Django app of ours. Users copy and paste
 URLs from the location bar or from elsewhere into a text field, and when
 those URLs are already encoded (which is ''very'' likely as far as I can
 tell), `urlize` is often going to break the link (bad). I've had to copy
 and modify the whole `urlize` function and filter to get rid of the
 quoting.

 Why not just leave the URL alone, and HTML-escape it (both in the `href`
 attribute and the link text) to fend off potential XSS problems. If the
 original link did indeed require encoding, the user agent will take care
 of that, and the link will at least ''work''. The author can still go in
 and paste a properly encoded link if she's a nitpicking-validator-using
 power user.

 At the very least, it should be possible to turn off the quoting (another
 keyword arg on `django.utils.html.urlize`). But I still think the current
 behavior does not make sense and should be changed.

-- 
Ticket URL: <http://code.djangoproject.com/ticket/9655#comment:6>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to