id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
10296	Unescaped output from FileField.url	Masklinn	nobody	"{{{FileField.url}}} doesn't escape its output, resulting in validation errors if the URL contains spaces and breakages if it contains non-ascii characters or {{{?}}}.

This is related to #5160 basically the same bug using the old {{{FileField}}} and the {{{get_FOO_url}}} method.

The patch attached fixes the issue, but is fairly hacky in that self.storage.url returns the complete url (including scheme and netloc) so {{{:}}} has to be ignored on top of {{{/}}}. It would be nice to use {{{urllib.urlsplit}}} and escape only the {{{path}}}, but that breaks in case there's a {{{?}}} in the file path.
"		closed	File uploads/storage	1.0		duplicate	filefield url escaping quote		Unreviewed	1	0	0	0	0	0