id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
32702	urlize() should not decode URL fragments	Victor Shih	nobody	"Currently `urlize()` will unquote then quote the fragment component of URLs. This transformation can be problematic - for example if it contains a %-encoded URL:

example.com/home#next=https%3A%2F%2Fexample2.com

This results in:

<a href=""https://example.com/home#next=https://example2.com"">https://example.com/home#next=https%3A%2F%2Fexample2.com</a>

Note how the generated href has its fragment decoded.

Because the formatting for the fragment is completely arbitrary and site-dependent, I suggest that the fragment should not be altered at all and simply rendered as-is.


Patch:  https://github.com/django/django/pull/14275


Related ticket:  https://code.djangoproject.com/ticket/9655


Previous related PRs:
https://github.com/django/django/pull/2902
https://github.com/django/django/pull/4253
https://github.com/django/django/pull/4292
"	Bug	closed	Utilities	3.2	Normal	needsinfo			Unreviewed	1	0	0	0	0	0