id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
30043	AdminURLFieldWidget incorrectly unquotes URLs e.g. containing %2F	Brenton Partridge	Brady	"Intended behavior: If a URLField is used in the Django admin, and the currently saved URL in the database contains the escape %2F, the href of the rendered link should contain that escape verbatim (e.g. %2F, not a / in that location).

Current behavior (master branch, Python 3.7.0): The href of the rendered link contains a / in that location, creating an extra portion of the path and, when clicked, sending the admin user to a completely different and unintended URL.

Root cause: https://github.com/django/django/blob/315357ad25a6590e7f4564ec2e56a22132b09001/django/contrib/admin/widgets.py#L340 uses `smart_urlquote` to set the href (subsequently read by https://github.com/django/django/blob/master/django/contrib/admin/templates/admin/widgets/url.html ).

smart_urlquote (as implemented here: https://github.com/django/django/blob/315357ad25a6590e7f4564ec2e56a22132b09001/django/utils/html.py#L203 ) has caused problems before e.g. https://code.djangoproject.com/ticket/28123 . That issue, though, refers to a backport, whereas this behavior is broken on the master branch in Python 3.

One fix would be to not use smart_urlquote, and just ensure that the href is set to the exact same value as initially shown in the input field and rendered as the text of the <a> tag. Is there a reason why smart_urlquote was used in the first place, though?

I'm happy to submit a patch and test case if this is a desired fix."	Bug	closed	contrib.admin	dev	Normal	needsinfo	admin, urlfield, smart_urlquote, url, quote	Florian Apolloner Brady	Accepted	1	0	1	1	0	0