Update default from http to https in urlize when protocol not provided

[Saravana]

In django/utils/html.py, urlize there is:

url = smart_urlquote("http://%s" % html.unescape(middle))

When user input does not include a protocol it defaults to http (Insecure Protocol).

Example :
Considered a web app using urlize() for password reset email template

input = "Password reset link myapp.com/password/reset/{token}"

output:

"Password reset link <a href="http://myapp.com/password/reset/{token}"/>"

so when end user of myapp clicks it the url with token sent in http insecure protocol.
This behavior could potentially lead to man-in-the-middle attacks

Suggested Fix:
Default to HTTPS: If the URL doesn't specify a protocol, Django could default to ​https://

[Sarah Boyce]

Thank you!
Note that the security team discussed this and agreed this can be handled publicly. This is similar to #34380.

[Adam Johnson]

I think we can use a plan similar to how #34380 shook out, with a plan like:

1. Introduce a transitional setting (URLIZE_ASSUME_HTTPS) that defaults to False. This goes on the deprecation plan for removal in N+2 versions.
2. When the ​responsible code path is hit (which should be fairly rare as it only applies to ​limited domains), check the setting. If it’s False, warn and use 'http', otherwise use 'https'.

[Saravana]

Yeah sure,
i will work on that

[IronJam]

I will be happy to work on this one if its available

[Ahmed Nassar]

I’d love to contribute to this issue.

[Saravana]

Replying to Ahmed Nassar:

I’d love to contribute to this issue.

Yeah you can work on it

[Ahmed Nassar]

The issue regarding defaulting to HTTP instead of HTTPS in urlize has been addressed. A fix has been implemented to ensure that URLs without a specified protocol now default to HTTPS, improving security and preventing potential MITM attacks.

🔗 Pull Request: ​https://github.com/django/django/pull/19240

Summary of Fix:

• Added URLIZE_ASSUME_HTTPS setting (default: False) to control protocol selection
• Deprecated ​http:// default in Django 5.2
• Will make ​https:// the default in Django 6.0 (following deprecation policy)
• Added comprehensive tests and documentation
• Ensures backward compatibility during transition
• Improves security by preventing MITM attacks

Implementation follows Django's deprecation policy (N+2 versions) for a smooth transition. All tests are passing, and documentation has been updated accordingly.

Looking forward to your review and feedback!

[Ahmed Nassar]

I have completed all requested changes in the PR ​https://github.com/django/django/pull/19240, including:

Addressing all review comments.
Pushing a commit with the latest updates.
Ensuring all tests pass successfully.
Updating the documentation to reflect the introduced URLIZE_ASSUME_HTTPS setting.

Additionally, I have added and updated some tests and documentation to ensure proper coverage and clarity. Given that the Trac ticket currently has "Needs tests: No" and "Needs documentation: No", should these be updated to "Needs tests: Yes" and "Needs documentation: Yes" to reflect these additions?

[Sarah Boyce]

Additionally, I have added and updated some tests and documentation to ensure proper coverage and clarity. Given that the Trac ticket currently has "Needs tests: No" and "Needs documentation: No", should these be updated to "Needs tests: Yes" and "Needs documentation: Yes" to reflect these additions?

Yes when you want another review, you should do this as it will put the ticket in the review queue. I have given a review, so once you've resolved those comments you can update this ticket

[Ahmed Nassar]

Thank you for the review and clarification.

• Addressed and resolved all comments in the PR ​https://github.com/django/django/pull/19240
• Ensured passing all tests and documentation checks correctly.

Looking forward to your review and feedback!

[Sarah Boyce <42296566+sarahboyce@…>]

In ec7044c7:

Fixed #36000 -- Deprecated HTTP as the default protocol in urlize and urlizetrunc.