Opened 3 years ago
Closed 3 years ago
#32702 closed Bug (needsinfo)
urlize() should not decode URL fragments
| Reported by: | Victor Shih | Owned by: | nobody |
|---|---|---|---|
| Component: | Utilities | Version: | 3.2 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Currently urlize() will unquote then quote the fragment component of URLs. This transformation can be problematic - for example if it contains a %-encoded URL:
example.com/home#next=https%3A%2F%2Fexample2.com
This results in:
<a href="https://example.com/home#next=https://example2.com">https://example.com/home#next=https%3A%2F%2Fexample2.com</a>
Note how the generated href has its fragment decoded.
Because the formatting for the fragment is completely arbitrary and site-dependent, I suggest that the fragment should not be altered at all and simply rendered as-is.
Patch: https://github.com/django/django/pull/14275
Related ticket: https://code.djangoproject.com/ticket/9655
Previous related PRs:
https://github.com/django/django/pull/2902
https://github.com/django/django/pull/4253
https://github.com/django/django/pull/4292
Hi Victor — I'm going to mark this as needsinfo following Florian's comment on the PR. I'm very happy to discuss this with you, and see if we can make sure we're 100% clear before proceeding (but I think we need that discussion before moving forwards) — I hope that makes sense. Thanks.